Sophos Cloud Optix
The plot of the Android malware story thickens. SophosLabs has discovered the latest way to monetize mobile malware, using it as a spam botnet.
Historically mobile malware has made money from capturing SMS messages used for online banking authentication and sending premium-rate SMS messages to collect the subscription fees.
The messages appear to originate from compromised Google Android smartphones or tablets. All of the samples at SophosLabs have been sent through Yahoo!’s free mail service and contain correct headers and DKIM signatures.
The first samples we analyzed were text only, but some other samples also contain images. An example pharmacy spam reads:
Incredible National Rx Store
Now offering medications for Weight Loss, Diabetics, Pain Reduction!!!
Reduced Prescription's
Viagra+Cialis Super Active, Alprazolam, Vicodin etc...
Pick Up You're Meds for 75% Off TodaySent from Yahoo! Mail on Android
Some of the image spams not only have a graphic, but an animated one!
You can imagine the cellular phone bill you might receive if your phone is being used to download and spam out thousands of these messages.
Even if you thought you were going to buy some counterfeit Viagra from criminals because you are too embarrassed to see your physician, it is still a classic bait and switch. The URL leads to a knock-off “herbal Viagra” the performs miracles with no side effects.
It is likely that Android users are downloading Trojanized pirated copies of paid Android applications. The samples we analyzed originated in Argentina, Ukraine, Pakistan, Jordan and Russia.
The widespread nature of source devices is unusual as most Android malware is not downloaded from Google Play, but localized “off market” download sites.
Android users should exercise caution when downloading applications for their devices and definitely avoid downloading pirated programs from unofficial sources. Google, Amazon and others may not be perfect at keeping malware off of their stores, but the risk increases dramatically outside of their ecosystems.
Considering the risks, why not give Sophos Mobile Security for Android a try? It’s free and also allows you to track your device if it is lost or stolen. You can find it on Google Play.
Update: It is important to note that we do not have the malware, so it is not confirmed that it originates from Android devices. For more information read our follow up with all of the details.
Special thanks to Savio Lau at SophosLabs Vancouver for spotting this spam and performing the research necessary for this post.
Seeing as all of the Yahoo! email accounts are in the same format, it's more likely the Yahoo! Android account creation API has been circumvented to allow account creation. Not entirely convinced these are actually being sent by Android devices.
Could you give me this virus?
Because I want to analysis it .
Thank you very much.
If you work for a legitimate anti-virus vendor, please contact our labs via the usual channels. Thanks!