Sophos Cloud Optix
Thanks to Jagadeesh Chandraiah and Ferenc László Nagy of SophosLabs for their technical assistance with this article.
SophosLabs just brought to our attention an item of malware of a sort you don’t often see these days.
It’s an Android virus, or more precisely, a worm, known as Andr/SlfMite-A.
(For all that we are saying “you don’t often see worms,” we did report on a short-lived Twitter worm just two weeks ago, but self-replicating malware is nevertheless fairly rare.)
Fifteen to twenty years ago, the malware scene was almost all about viruses and worms: although the internet was popular, only a small minority went online regularly, so malware couldn’t rely on sitting around in inboxes or on websites waiting to be clicked.
Viruses and worms had to make their own running, and they took the business of spreading into their own hands, automatically seeking out new files or computers to infect, or churning out emails with themselves as attachments or download links.
That’s how Andr/SlfMite-A gets around, though it sends itself in the form of an SMS containing a web link, rather than as a self-contained attachment.
So, if you allow yourself to get infected, you don’t just put yourself at risk, you immmediately put your top 20 contacts at risk, too.
The virus immediately reads from your contact list, and sends each of the top 20 an SMS by name, like this:
The difference between the email viruses of yesteryear and today’s spam-driven malware is that the email viruses almost always came from someone you knew, and often from someone you trusted perfectly well.
That gave you much more reason to open the attachments or click on the links, even if you weren’t entirely sure how wise that was.
Andr/SlfMite-A is trying to take the sort of same advantage, relying on the mutual trust that often exists between Android-using contacts.
After all, you probably don’t routinely ignore SMSes from your friends, no matter how unusual the messages might look.
If you do click through to the link and install the app “recommended” by your friend, the cycle continues: you immediately SMS your top 20 contacts, and so on.
In theory, a virus like this could spread exponentially, with one victim in Generation One becoming 20 in Generation Two, 400 in Generation Three, and so on, with 20N-1 victims in Generation N.
In practice, of course, this never happens: many of the potential victims in each generation will delete the message, or ignore it, or have it blocked by their anti-virus.
Also, two friends are likely to be in each other’s top 20 contacts, so if you infect your friend, she’ll soon try to infect you back, which (if nothing else) ought to give you a hint that something is wrong.
Nevertheless, computer worms that spread via lists of friends can quickly produce a lot of traffic, and the volume alone can be troublesome.
The Andr/SlfMite-A virus doesn’t just spread, however.
While it’s texting all your friends, it’s also downloading an app onto your device.
The app we saw when we tested the virus seems to be a front end for Mobogenie, an Android app marketplace that positions itself as a mainstream alternative to Google’s Play Store.
→ The malware fetches its “payload” app via a goo.gl shortlink; in our tests, that link went through several redirections, meaning that the app that is foisted onto your Android could easily be changed, varying according to time, location, or even just the whim of the crooks.
Mobogenie is no stranger to controversy.
As Naked Security writer John Zorabedian wrote in April 2014, Mobogenie has been associated with so-called “drive-by installs” before, triggering numerous complaints and prompting the company to publish a statement on Google’s own Play Store:
Recently we have understood that some of our users have been troubled by the automatic download of Mobogenie on to their Android Phones.
While it has never been our intention to spam any user, we would like to apologise to them for the same. Having learnt that there was a technical issue with one of our promotional partners, we are trying our best to fix it at the earliest.
Team Mobogenie keeps a close eye on all its promotions, and recommends the download of Mobogenie application only from reliable sources such as Google Play, Mobogenie.com and other partner networks. We ensure that there shall be no more inconvenience caused to any Android user in future.
That assurance notwithstanding, today’s Play Store message states something that is similar yet slightly different:
Recently, it has come to our attention that some of our users have been troubled by spam from Mobogenie.
Although we have never intentionally distributed spam advertisements to our users, we would like to take this opportunity to apologise to all of you for any inconvenience this spam may have caused. Having now identified a technical issue with one of our promotional partners,we are currently trying our best to fix this problem as soon as possible.
It looks as though Mobogenie’s technical issues with promotional partners are ongoing.
What to do?
The silver lining to malware that spreads this way is that it uses a three-stage infection strategy, and all three stages have to succeed for the virus to work.
With a decent anti-virus and security app in place, that gives you a three-fold chance to win.
For example, here’s Sophos Free Anti-Virus and Security for Android in action:
Also, don’t forget that by sticking to the Google Play Store for your Android software downloads, you reduce the risk of being plagued by rogue apps of this sort.
The Play Store is not perfect, but Google applies at least some oversight to it, and has a mechanism that allows it to kill off apps retrospectively, zapping them even if you have already downloaded and installed them.
If there are alternative markets you would like or need to use, try enabling the Allow installation of apps from unknown sources option only when you actually need it, and turning it off afterwards.
The handy Security Advisor feature in Sophos Anti-Virus will remind you if you forget:
Lastly, why not take a look at our mobile security tips for keeping the crooks away?
Just the type of reason I need to steer clear of so called market leaders like Android… I just interact with my core friends & family via usual social media, & as much of that as possible via mobile web (not apps); & over wifi not mobile data – WP8 works fine; running costs are minimised; & security maintained. Not rocket science. It’s the incessant obsession with apps that allows crooks & spammers & advertisers to keep up their plagues!
Um. You *are* aware that WP is just as susceptible to attacks like this, right? With the latest WP OS being app-oriented, it’s just as important to have an anti-virus program on there as it is on any other device these days. Even web surfing on phones and tablets these days can open you up to virii and malware similar to computers.
Nice article, though title should have been SMS Worm instead “virus” , this isn’t exactly virus is it ?
This is indeed “exactly” a virus. And, as I was careful to point out, it is also a worm.
Worms are a subset of viruses are a subset of all malware.
The set of viruses can be split very loosely into two main subcategories: parasitics, which cannot work on their own and need a host file to infect and act as a carrier, and worms, which are self-contained and therefore act as their own host.
All other things being equal, worms are easier to disinfect than viruses, because there is no original host file to restore (and in many cases, parasitic viruses infect “lossily,” in other words, there is no way to remove the fly and be sure you have left behind only ointment).
You will hear some people insisting that viruses and worms are disjoint sets. You may ignore them. In fact, you may need to ignore them – some of them will spend a lonnnnnnng time trying to convince you they are right.
Great article!!! thank you very much!
Good afternoon,
Im curious to know, is there a possibility that the virus sends a msg to my contacts without leaving a trace in my msg inbox?
Or will I be able to see it beinf sent to my contacts in my msg inbox.
Your help is very much appreciated
I think the answer is, “It depends.”
If the virus can send the message without using your regular messaging app, it might not show up anywhere. Or the malware might be able not only to send but also to delete messages…just like you can by using the regular app.
Hi Paul, I think I have this worm!! I get ads attached to only texts I receive from my mother. She cannot see them. I sent her a screen shot of her messages with these attachments and she asked her provider about it. They told her that it was actually a problem with my phone. How can it be removed without damaging anything I have stored? Thanks!
If it’s ads added to her messages, it could be some “ad-supported” messaging app or addon she’s installed without realising it. The thing to check is whether other people she sends messages to get ads from her. My first guess would not be an issue with your phone, if it’s her phone that seems to be generating the augemented messages.
Has she tried running an anti-virus, e.g. Sophos Free Anti-Vieus and Security for Android?
https://www.sophos.com/en-us/products/free-tools/sophos-mobile-security-free-edition.aspx
If you receive a text from a fraudulent source and you open to view the text, can clicking to open the message, download a virus?
Guess this virus/worm is still floating around since my Android seems to have picked it up yesterday. Was researching and found this older article but still seems to apply today. Downloading Sophos Anti-Virus next. Thanks for the article!!!