Thanks to Jagadeesh Chandraiah and Ferenc László Nagy of SophosLabs for their technical assistance with this article.
SophosLabs just brought to our attention an item of malware of a sort you don’t often see these days.
It’s an Android virus, or more precisely, a worm, known as Andr/SlfMite-A.
(For all that we are saying “you don’t often see worms,” we did report on a short-lived Twitter worm just two weeks ago, but self-replicating malware is nevertheless fairly rare.)
Fifteen to twenty years ago, the malware scene was almost all about viruses and worms: although the internet was popular, only a small minority went online regularly, so malware couldn’t rely on sitting around in inboxes or on websites waiting to be clicked.
Viruses and worms had to make their own running, and they took the business of spreading into their own hands, automatically seeking out new files or computers to infect, or churning out emails with themselves as attachments or download links.
That’s how Andr/SlfMite-A gets around, though it sends itself in the form of an SMS containing a web link, rather than as a self-contained attachment.
So, if you allow yourself to get infected, you don’t just put yourself at risk, you immmediately put your top 20 contacts at risk, too.
The virus immediately reads from your contact list, and sends each of the top 20 an SMS by name, like this:
The difference between the email viruses of yesteryear and today’s spam-driven malware is that the email viruses almost always came from someone you knew, and often from someone you trusted perfectly well.
That gave you much more reason to open the attachments or click on the links, even if you weren’t entirely sure how wise that was.
Andr/SlfMite-A is trying to take the sort of same advantage, relying on the mutual trust that often exists between Android-using contacts.
After all, you probably don’t routinely ignore SMSes from your friends, no matter how unusual the messages might look.
If you do click through to the link and install the app “recommended” by your friend, the cycle continues: you immediately SMS your top 20 contacts, and so on.
In theory, a virus like this could spread exponentially, with one victim in Generation One becoming 20 in Generation Two, 400 in Generation Three, and so on, with 20N-1 victims in Generation N.
In practice, of course, this never happens: many of the potential victims in each generation will delete the message, or ignore it, or have it blocked by their anti-virus.
Also, two friends are likely to be in each other’s top 20 contacts, so if you infect your friend, she’ll soon try to infect you back, which (if nothing else) ought to give you a hint that something is wrong.
Nevertheless, computer worms that spread via lists of friends can quickly produce a lot of traffic, and the volume alone can be troublesome.
The Andr/SlfMite-A virus doesn’t just spread, however.
While it’s texting all your friends, it’s also downloading an app onto your device.
The app we saw when we tested the virus seems to be a front end for Mobogenie, an Android app marketplace that positions itself as a mainstream alternative to Google’s Play Store.
→ The malware fetches its “payload” app via a goo.gl shortlink; in our tests, that link went through several redirections, meaning that the app that is foisted onto your Android could easily be changed, varying according to time, location, or even just the whim of the crooks.
Mobogenie is no stranger to controversy.
As Naked Security writer John Zorabedian wrote in April 2014, Mobogenie has been associated with so-called “drive-by installs” before, triggering numerous complaints and prompting the company to publish a statement on Google’s own Play Store:
Recently we have understood that some of our users have been troubled by the automatic download of Mobogenie on to their Android Phones.
While it has never been our intention to spam any user, we would like to apologise to them for the same. Having learnt that there was a technical issue with one of our promotional partners, we are trying our best to fix it at the earliest.
Team Mobogenie keeps a close eye on all its promotions, and recommends the download of Mobogenie application only from reliable sources such as Google Play, Mobogenie.com and other partner networks. We ensure that there shall be no more inconvenience caused to any Android user in future.
That assurance notwithstanding, today’s Play Store message states something that is similar yet slightly different:
Recently, it has come to our attention that some of our users have been troubled by spam from Mobogenie.
Although we have never intentionally distributed spam advertisements to our users, we would like to take this opportunity to apologise to all of you for any inconvenience this spam may have caused. Having now identified a technical issue with one of our promotional partners,we are currently trying our best to fix this problem as soon as possible.
It looks as though Mobogenie’s technical issues with promotional partners are ongoing.
What to do?
The silver lining to malware that spreads this way is that it uses a three-stage infection strategy, and all three stages have to succeed for the virus to work.
With a decent anti-virus and security app in place, that gives you a three-fold chance to win.
For example, here’s Sophos Free Anti-Virus and Security for Android in action:
Also, don’t forget that by sticking to the Google Play Store for your Android software downloads, you reduce the risk of being plagued by rogue apps of this sort.
The Play Store is not perfect, but Google applies at least some oversight to it, and has a mechanism that allows it to kill off apps retrospectively, zapping them even if you have already downloaded and installed them.
If there are alternative markets you would like or need to use, try enabling the Allow installation of apps from unknown sources option only when you actually need it, and turning it off afterwards.
The handy Security Advisor feature in Sophos Anti-Virus will remind you if you forget:
Lastly, why not take a look at our mobile security tips for keeping the crooks away?