Android Trojan Used To Create Simple SMS Spam Botnet

Sun, Dec 16, 2012 by Andrew Conway

A new crop of trojan mobile applications are demonstrating simple mobile botnet behavior, leveraging infected handsets to spread spam and invitations for other users to download the infected apps. This new evolution of malicious mobile applications is presently being monitored by the Cloudmark mobile security research team who had been investigating a strong uptick in mobile originated spam over the past week.

A random invitation received via SMS to download a free version of a popular Android game like The Need for Speed Most Wanted or Angry Birds Star Wars may seem enticing, but as your intuition may hint the offer is often times too good to be true.   If you do download this “spamvertised” application and install it on your Android handset, you may be unknowingly loading a malicious software application on your phone which will induct your handset into a simple botnet, one that leverages the resources of your mobile phone for the benefit of the malware’s author.  In the case of this latest batch of SMS sending malware that the Cloudmark Research team has been monitoring, your phone will be used to silently send out thousands of spam SMS messages without your permission to lists of victim phone numbers that the malware automatically downloads from a command and control server.  You better have an unlimited message plan or your phone bill may come as a bit of a shock.

The trojan apps were downloaded from sites on a server in Hong Kong offering free games. They claimed to be copies of popular games including the ones I mentioned.

Don’t do it!

Of course you have to jump through some hoops to install an Android app from a random web site rather than Google Play.

Don’t do this, either

Then you have to grant permission to the app to do all sorts of things that no Angry Bird should ever need to do, like surfing the web and sending SMS messages, but not many people read the fine print when installing Android applications.

Once installed, the trojan initiates a connection to a command and control server. The C&C server replies with both a list of spam target phone numbers as well as the message payload to deliver.  After the payload is retrieved the application would duly start SMS spamming, reporting back to the C&C server on each message sent.

The zombie communicates with the C&C server using HTTP. Typically a message and a list of fifty numbers are returned. The zombie waits 1.3 seconds after sending each message, and checks with the C&C server every 65 seconds for more numbers. The application reloads automatically after a reboot as it installs itself as a service on the handset.

We first saw this spammer on October 26th, when the trojan claimed to be anti SMS spam software!

Tired of SMS Spam? Download our free SMS Blocker today to finally rid yourself of unwanted messages! Download now at http://[redacted].com

That attack only lasted one day. Apparently using SMS spam to promote a bogus SMS spam blocking service was not an easy sell. The spammer came back on November 10th, with the free games scam which simply attempts to get the botnet to spread:

Download Grand Theft Auto 3 & Need for Speed Most Wanted for Android phones for free at http://[redacted].mobi for next 24hrs only!

On November 28 the spammer decided to start monetizing. The free game messages continued, but there were also free gift card scam messages mixed in. This is a fairly common sort of SMS spam:

You have just won a $1000 Target Gift Card but only the 1st 777 people that enter code 777 at http://[redacted].com can claim it!

Of course, there are not really any free gift cards, this is just a trick to collect your personal information for affiliate programs and sometimes identity theft.

This stayed as a fairly low volume attack until the end of the week before last, when the spammer decided to ramp up his activities. For a couple of days we saw growth rates of 80% per day, with a peak rate of over half a million SMS messages per day.

To date, the following Trojan apps have been identified:

  • needforspeed.apk MD5 = 2e78f497c3b21eed5f303f3bc6740c17
  • needforspeed.apk MD5 = bb5cf7c1d7708611fa4a4c5d5b7de9ba
  • maxpayne.apk MD5 = 916ae10046bb3c2867ea8bf7da3277bc
  • angrybirdstarwarshd.apk MD5 = 86e3fb0e8ca9d562beb714246bf2a2a8
  • gta3game.apk MD5 = 86baa16d3e564874fce8546ed02adc67
  • grandtheftauto.apk MD5 = 220a24a3f48f5e4897fa4a089df7c284
  • angrybirdstarwarsl.apk MD5 = 86e3fb0e8ca9d562beb714246bf2a2a8
  • grandtheftauto3l.apk MD5 = 74a87681a0941764f178dc651ee58646
  • grandtheftautovicecityl.apk MD5 = 989c0a24f7a2a8153c6cef6061a975c9
  • needforspeedl.apk.zip MD5 = cb212a715b6887610bc08c2ff203cd84

These URLs have been used for malware distribution:

  • newestgames.mobi
  • gamerpalace.mobi
  • trendingoffers.com
  • holyoffers.com
  • gamehaven.mobi
  • game-haven.mobi
  • freshoffers.mobi

These URLs have been used by the C&C server

  • l0rdzs0ldierz.com
  • imperialistic.mobi

Compared with PC botnets this was an unsophisticated attack. However, this sort of attack changes the economics of SMS spam, as the spammer no longer has to pay for the messages that are sent if he can use a botnet to cover his costs. Now that we know it can be done, we can expect to see more more complex attacks that are harder to take down. Please help prevent this from becoming a major problem:

  • Only install Android apps from Google Play
  • When you receive SMS spam, forward it to 7726

Share this with your friends and family, and together we can prevent Android botnets.

We’re continuing to monitor this attack and will update the blog with any breaking news.

 

Tags: , , ,

54 Responses to “Android Trojan Used To Create Simple SMS Spam Botnet”

  1. Cloudmark Blog | Android Trojan Used To Create Simple SMS ... | Video Gamer WeeklyVideo Gamer Weekly Says:

    [...] the article: Cloudmark Blog | Android Trojan Used To Create Simple SMS … Поделиться в соц. сетях (function(d, s, id) { [...]

  2. Se detecta una botnet para Android dedicada al envío SMS | Seguridad Móvil Says:

    [...] Conway, ingeniero de Cloudmark, asegura en un post que  los operadores todavía están estudiando la manera de tratar con esto que “es bastante [...]

  3. Se detecta una botnet para Android dedicada al envío de SMS | Seguridad Móvil Says:

    [...] Conway, ingeniero de Cloudmark, asegura en un post que  los operadores todavía están estudiando la manera de tratar con esto que “es bastante [...]

  4. Spam virus hits Android video games : One Caribbean Radio | The Global Mix Says:

    [...] The first stage of the campaign to recruit phones to act as spam relays. It involved sending out thousands of messages supposedly offering people free versions of popular Android games, said network security firm Cloudmark in an analysis of the SpamSoldier attack. [...]

  5. Spam virus hits Android video games | Android News Center Says:

    [...] The first stage of the campaign to recruit phones to act as spam relays. It involved sending out thousands of messages supposedly offering people free versions of popular Android games, said network security firm Cloudmark in an analysis of the SpamSoldier attack. [...]

  6. Spam virus hits Android video games | Social Web Guru Guide Says:

    [...] The first stage of the campaign to recruit phones to act as spam relays. It involved sending out thousands of messages supposedly offering people free versions of popular Android games, said network security firm Cloudmark in an analysis of the SpamSoldier attack. [...]

  7. Android mobiles hit by spamming computer virus | Android News | Game Unlimitted | Game, New and updates Says:

    [...] The first stage of the campaign to recruit phones to act as spam relays. It involved sending out thousands of messages supposedly offering people free versions of popular Android games, said network security firm Cloudmark in an analysis of the SpamSoldier attack. [...]

  8. Be careful what you download | Catalyst – Cool Tech & Science Today Says:

    [...]  http://blog.cloudmark.com/2012/12/16/android-trojan-used-to-create-simple-sms-spam-botnet/ for additional information… Share this:TwitterFacebookLike this:LikeBe the first to like [...]

  9. Spam virus hits Android video games - SamRed News Says:

    [...] The first stage of the campaign to recruit phones to act as spam relays. It involved sending out thousands of messages supposedly offering people free versions of popular Android games, said network security firm Cloudmark in an analysis of the SpamSoldier attack. [...]

  10. Spam virus hits Android video games | World Papers Says:

    [...] The first stage of the campaign to recruit phones to act as spam relays. It involved sending out thousands of messages supposedly offering people free versions of popular Android games, said network security firm Cloudmark in an analysis of the SpamSoldier attack. [...]

  11. Spam virus hits Android video games | PATRONIT Says:

    [...] The first stage of the campaign to recruit phones to act as spam relays. It involved sending out thousands of messages supposedly offering people free versions of popular Android games, said network security firm Cloudmark in an analysis of the SpamSoldier attack. [...]

  12. Spam virus hits Android video games » Pickersleigh Community Watch Says:

    [...] The first stage of the campaign to recruit phones to act as spam relays. It involved sending out thousands of messages supposedly offering people free versions of popular Android games, said network security firm Cloudmark in an analysis of the SpamSoldier attack. [...]

  13. Spam virus hits Android video games | Technology News Says:

    [...] The first stage of the campaign to recruit phones to act as spam relays. It involved sending out thousands of messages supposedly offering people free versions of popular Android games, said network security firm Cloudmark in an analysis of the SpamSoldier attack. [...]

  14. New Android malware makes spam-texting more economical | loKaliz.me Says:

    [...] with PC botnets, this was an unsophisticated attack, » wrote Andrew Conway, a security researcher at Cloudmark. « However, this sort of attack changes the [...]

  15. New Android malware makes spam-texting more economical | Exploit Archive Says:

    [...] with PC botnets, this was an unsophisticated attack,” wrote Andrew Conway, a security researcher at Cloudmark. “However, this sort of attack changes the economics of [...]

  16. New Android malware makes spam-texting more economical | My Blog Says:

    [...] with PC botnets, this was an unsophisticated attack,” wrote Andrew Conway, a security researcher at Cloudmark. “However, this sort of attack changes the economics of [...]

  17. Spam virus hits Android video games | Technophile Says:

    [...] The first stage of the campaign to recruit phones to act as spam relays. It involved sending out thousands of messages supposedly offering people free versions of popular Android games, said network security firm Cloudmark in an analysis of the SpamSoldier attack. [...]

  18. New Android malware makes spam-texting more economical | Mobile security … | Exploit Archive Says:

    [...] with PC botnets, this was an unsophisticated attack,” wrote Andrew Conway, a security researcher at Cloudmark. “However, this sort of attack changes the economics of [...]

  19. New botnet on Android uses the infected device to spread spam SMS « MALWARELIST INFORMATION ABOUT VIRUSES Says:

    [...] Cloudmark report here [...]

  20. Android Malware Attack Hits Phones through Popular Games Says:

    [...] site in Hong Kong, and consequentially began to spread. But now, experts such as Android Conway of Cloudmark Security are saying that the botnet is spreading, and sometimes posing as an anti-spam blocker.  The app is [...]

  21. Malware spammers target Android OS | Exploit Archive Says:

    [...] The infected malware, known as SpamSoldier, has been hiding in free versions of popular Android games, such as the chart-topping Angry Birds, according to security company, Cloudmark. [...]

  22. SMS Botnet ‘SpamSoldier’ Lures Victims With Fake Games | loKaliz.me Says:

    [...] was « an unsophisticated attack, » Andrew Conway, a security researcher with Cloudmark, wrote on the company blog Dec. 16. An SMS message offering free games or other scams tricks users [...]

  23. Malware spammers target Android OS | Coupon Code AZ NewsCoupon Code AZ News Says:

    [...] The infected malware, known as SpamSoldier, has been hiding in free versions of popular Android games, such as the chart-topping Angry Birds, according to security company, Cloudmark. [...]

  24. Android Trojan taints US mobes, spews 500,000 texts A DAY | Gens News Says:

    [...] 28 November the spammer decided to start monetizing,” Conway explained in a blog post on the SpamSoldier threat. “The free game messages continued, but there were also free gift [...]

  25. Malware spammers target Android OS | Technophile Says:

    [...] The infected malware, known as SpamSoldier, has been hiding in free versions of popular Android games, such as the chart-topping Angry Birds, according to security company, Cloudmark. [...]

  26. ste williams » Android Trojan taints US mobes, spews 500,000 texts A DAY Says:

    [...] 28 November the spammer decided to start monetizing,” Conway explained in a blog post on the SpamSoldier threat. “The free game messages continued, but there were also free gift [...]

  27. Un botnet Android qui envoie du spam par SMS | Univers jeunesse Says:

    [...] blog de Cloudmark Partagez notre page [...]

  28. Malware spammers target Android OS | Mikefixpc.com Says:

    [...] The infected malware, known as SpamSoldier, has been hiding in free versions of popular Android games, such as the chart-topping Angry Birds, according to security company, Cloudmark. [...]

  29. Angry Birds used to spam Android phones | New Angry Birds Says:

    [...] “You better have an unlimited message plan or your phone bill may come as a bit of a shock,” Cloudmark said in a statement. [...]

  30. Un botnet Android qui envoie du spam par SMS | loKaliz.me Says:

    [...] blog de [...]

  31. Attack Turns Android Devices Into Spam-Spewing Botnets | Ananza SD عنانزه Says:

    [...] of your mobile phone for the benefit of the malware’s author,” according to an overview of the malwarewritten by Cloudmark lead software engineer Andrew [...]

  32. Android Users Hit With Spam Botnet Virus 'SpamSoldier' | Games and Me Says:

    [...] On December 20, 2012, in Game News & Reviews, by admin In a report released last Sunday, the network security firm Cloudmark identified a number of malicious mobile [...]

  33. Android Trojan taints US mobes, spews 500,000 texts A DAY | Games and Me Says:

    [...] 28 November the spammer decided to start monetizing,” Conway explained in a blog post on the SpamSoldier threat. “The free game messages continued, but there were also free gift [...]

  34. Cloudmark Blog | Android Trojan Used To Create Simple SMS … | AppsRange Find all kind of Mobile AP review Says:

    [...] Botnets, Mobile, SMS / Texting, SMS Fraud. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own [...]

  35. SpamSoldier Android Trojan Spreading via SMS Spam | Technology News, Computer Security - Hyphenet Blog Says:

    [...] [via Cloudmark] [...]

  36. Android Users Hit With Spam Botnet Virus ‘SpamSoldier’ | loKaliz.me Says:

    [...] a report released last Sunday, the network security firm Cloudmark identified a number of malicious mobile [...]

  37. «Xρονιά των κινητών-ζόμπι» τo 2013 - Καρφίτσα | Καρφίτσα Says:

    [...] εταιρεία Cloudmark προειδοποίησε πρόσφατα για τον «δούρειο ίππο» Pikspam, o oποίος [...]

  38. New Android Malware Lures Victims with Free Stuff | Exploit Archive Says:

    [...] According to security expert Andrew Conway, the malicious software is set up to use infected devices “to silently send out thousands of spam SMS messages without your permission to lists of victim phone numbers that the malware automatically downloads from a command and control server.” (Source: cloudmark.com) [...]

  39. texts, Texts, TEXTS!!!! - The Vette Barn Forum - A Community for Corvette Lovers Says:

    [...] You may want to check this out. [...]

  40. Στο έλεος των χάκερ τα κινητά τo 2013 Says:

    [...] εταιρεία Cloudmark προειδοποίησε πρόσφατα για τον «δούρειο ίππο» Pikspam, o oποίος [...]

  41. IT Secure Site » Blog Archive » Pikspam: SMS スパムボットネット Says:

    [...] Cloudmark 社によって最近検出された Android 用の SMS スパムが、メディアの注目を集めています(シマンテックでは Android.Pikspam として検出されます)。ボットネットによるスパムの拡散はもはや珍しくもありませんが、サイバー犯罪者にとってはモバイルテクノロジが新たな攻撃経路となっており、ソーシャルエンジニアリングやスパムといった定番の攻撃手法がモバイルデバイスに対しても有効になってきています。 [...]

  42. To 2013 «θα είναι η χρονιά των κινητών-ζόμπι» « StergioG.wordpress.com Says:

    [...] εταιρεία Cloudmark προειδοποίησε πρόσφατα για τον «δούρειο ίππο» Pikspam, o oποίος [...]

  43. Android malware for SMS spam botnet | Security Affairs Says:

    [...] principal use is the SMS spamming according security researches of the two US security firms, Cloudmark and Lookout Mobile Security that discovered the malicious architecture in [...]

  44. Android malware for SMS spam botnet | ziklagsystems Says:

    [...] principal use is the SMS spamming according security researches of the two US security firms, Cloudmark and Lookout Mobile Security that discovered the malicious architecture in [...]

  45. To 2013 «θα είναι η χρονιά των κινητών-ζόμπι» | ypervasinews.gr – Ηλεκτρονική εφημερίδα Says:

    [...] εταιρεία Cloudmark προειδοποίησε πρόσφατα για τον «δούρειο ίππο» Pikspam, o oποίος [...]

  46. Discovered the first Mobile SMS Spam Botnet « MALWARELIST INFORMATION ABOUT VIRUSES Says:

    [...] http://blog.cloudmark.com/2012/12/16/android-trojan-used-to-create-simple-sms-spam-botnet/ Share this:TwitterFacebookLike this:LikeBe the first to like [...]

  47. Discovered the first Mobile SMS Spam Botnet « MALWARELIST INFORMATION ABOUT VIRUSES Says:

    [...] http://blog.cloudmark.com/2012/12/16/android-trojan-used-to-create-simple-sms-spam-botnet/ Share this:TwitterFacebookLike this:LikeBe the first to like [...]

  48. Το 2013 αναμένεται να εξαπλωθούν ιοί που θα στοχεύουν συσκευές Android | Ehealthcyprus.com Says:

    [...] καταγραφή κρουσμάτων σε συσκευές Android.H εταιρεία Cloudmark προειδοποίησε πρόσφατα για τον «δούρειο ίππο» Pikspam, o oποίος [...]

  49. News: Trojan Android Apps Create an SMS Botnet | N E T W A R D . C O . U K Says:

    [...] a case that appeared recently with a discovery made by Andrew Conway of Cloudmark Inc. – shows that even a relatively simple attack can still be effective on [...]

  50. Android spambot spreads by offering free games | Says:

    [...] users to download a putrescent apps,” pronounced Andrew Conway, researcher during Cloudmark, in a blog. “If we do download this spamvertised focus and implement it on your Android handset, we might be [...]

  51. Security Alert: SpamSoldier | The Official Lookout Blog | AppsRange Says:

    [...] DetailsConsistent with CloudMark’s analysis, we’ve seen a number of different spam campaigns active. Examples [...]

  52. Android Trojan Apps Build SMS Botnet | Threatpost Says:

    [...] You can find a list of identified Trojan apps and distribution URLs along with Conway’s write-up. [...]

  53. Android bot mreža šalje spam SMS poruke » Unix Srbija Says:

    [...] Istraživači firme Cloudmark otkrili su novu bot mrežu koja šalje spam SMS poruke sa zaraženih Android mobilnih telefona. Novi članovi bot mreže regrutuju se tako što se vlasnicima Android mobilnih telefona putem SMS poruka nudi besplatno preuzimanje popularnih komercijalnih igrica. Vlasnici mobilnih telefona sa kojih se šalju spam SMS-ovi o tome ne znaju ništa, a da se nešto neobično događa mogu saznati kada ih iznenadi visok telefonski račun ili reakcija operatera mobilne telefonije zbog zloupotrebe servisa. [...]

  54. Cloudmark наблюдает рост потоков SMS-спама - Securelist - Всё об интернет-безопасности Says:

    […] простейший ботнет, составленный […]

Leave a Reply
(will not be published)
Submit Your Comments

* Indicates a required field

Learn More About Cloudmark
Our Products
News and Events
Site Map  •  Privacy Policy  •  ©2002–2014 Cloudmark, Inc.