Android market affected by SMS Trojans

Filed Under: Android, Google, Malware, Mobile, Privacy, SophosLabs

According to a report by AegisLab, Android Market has been hit by another malware incident, with a number of SMS-sending Trojans published by unknown attackers. The incident was not as serious as the one in March when over 50 apps were affected by the Droid Dream malware, although any attack affecting Android Market should be regarded as very serious.

The latest batch of malicious applications are purported to be developed by a legitimate Android developer Zsone. However, it seems that the legitimate applications from the same developer have a version number different than the malicious versions.

When one of the malicious applications is installed on the device, an SMS message will be sent to one of a range of premium rate numbers. The numbers are different depending on the application. The attack targets mobile devices in China since the SMS subscription service numbers used are only available from Chinese mobile network providers.

Sophos has received several applications with the SMS sending functionality, including iCalendar, iMine and iMatch. The malicious versions of the applications I have seen come with the version number 1.1.0.

The most interesting characteristic of the latest set of Trojanized applications is the fact that a special Broadcast receiver is used to inspect all new SMS messages received on the device.

If the application receives an SMS message from the number which was previously used to register the phone for services the Broadcast receiver attempts to abort the broadcast using the AbortBroadcast function. This method could prevent other SMS applications from processing the message.

The obvious intention of the code is to hide the fact that the device is receiving messages from subscription based services and make the user unaware that they have been losing money.

The latest Android incident shows that applications installed directly from the Google market could still be affected by malware.

In an ideal world, Android apps should not be allowed to be self-signed and only allowed keys certified by trusted authorities. Although this measure would not prevent malicious applications it would help with tracing the originators of rogue apps.

Having two classes of applications, signed by certified keys and self-signed, would allow developers of Android OS to limit the capabilities available to self-signed applications. For example, self-signed apps should not be able to send SMS messages. Perhaps this measure would not be a silver bullet but it would certainly be a welcome sign that Google is taking Android security more seriously.

Sophos products are detecting malicious SMS sending Android applications as Andr/AdSMS.

, , , ,

You might like

7 Responses to Android market affected by SMS Trojans

  1. Sheri · 1609 days ago

    I don't understand this article. Can you summarize in easier to understand terms? And what are steps to take to fix or make sure we don't develop any malware on our Android Phones?

    • Vanja Svajcer · 1608 days ago

      Hmm, let me try to summarize. Somebody modified a set of applications to include code that silently subscribes your phone to SMS services. For example, in Croatia, where I live, you can subscribe to receive weekly ringing tones or "Joke of the day" but the recipient of the message always pays for the message and is "subscribed" until they cancel the subscription.

      It is very similar with the latest set of Trojans for Android, but everything happens silently in the background so that you as the user cannot easily notice it. Your device starts receiving these messages and they end up in your bill and if you are not careful, you will keep on paying without noticing. Bad guys win - they make money from infecting your phone.

      You should consider few factors before you install a new app on your device. If you are installing from trusted markets, and I would include Google Android Market and Amazon into that group, make sure you check the reviews and the number of downloads. If the app has a lot of downloads and positive reviews you should be able to increase your level of trust in it.

      I would not install Android apps from an untrusted source such as user forums or file sharing sites. Applications that are allegedly cracked represent an increased risk of infection.

      I would also recommend installing an anti-virus app which will check every package you install against a list of known bad packages and block the installation if a bad app is found. This is recommended for all users, but especially if you do not consider yourself very technical. There are several popular free anti-virus products for Android and I would suggest you to look on Android Market to find one that will suit you.

  2. I have Lookout on my android phone. Will this stop trojans?

    • Vanja Svajcer · 1608 days ago

      I am fairly sure that guys from Lookout also have these samples so I expect the detection will be included in the next Lookout update. It may be worth checking directly with them.

  3. Go ahead and get your laughs. Just remember the user has to disable a security lock then find download and install the rouge app followed by ignoring the fact a media player wants access to your SMS. There is little difference than a jailbroken iPhone user getting burnt when trying to pirate apps. Both of these are advanced users going off road.

    The biggest risk with any phone or computer is always the pink squishy thing using it.

  4. Klaus · 1609 days ago

    I think i remain a very happy Symbian^3 (nokia n8) user :-)

  5. Marco Liebermann · 1330 days ago

    Today 17/2/12 I have detected the trojan.AndroidOS sms.send.247 in my android smartphone thanks to Zoner antivirus. The trojan infected a Android-market program named TNM calc from Ricardo Agoglia

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

Vanja is a Principal Virus Researcher in SophosLabs. He has been working for Sophos since 1998. His major interests include automated analysis systems, honeypots and malware for mobile devices. Vanja is always ready for a good discussion on various security topics.