Android Trojan Used To Create Simple SMS Spam Botnet
Sun, Dec 16, 2012 by Andrew Conway
A new crop of trojan mobile applications are demonstrating simple mobile botnet behavior, leveraging infected handsets to spread spam and invitations for other users to download the infected apps. This new evolution of malicious mobile applications is presently being monitored by the Cloudmark mobile security research team who had been investigating a strong uptick in mobile originated spam over the past week.
A random invitation received via SMS to download a free version of a popular Android game like The Need for Speed Most Wanted or Angry Birds Star Wars may seem enticing, but as your intuition may hint the offer is often times too good to be true. If you do download this “spamvertised” application and install it on your Android handset, you may be unknowingly loading a malicious software application on your phone which will induct your handset into a simple botnet, one that leverages the resources of your mobile phone for the benefit of the malware’s author. In the case of this latest batch of SMS sending malware that the Cloudmark Research team has been monitoring, your phone will be used to silently send out thousands of spam SMS messages without your permission to lists of victim phone numbers that the malware automatically downloads from a command and control server. You better have an unlimited message plan or your phone bill may come as a bit of a shock.
The trojan apps were downloaded from sites on a server in Hong Kong offering free games. They claimed to be copies of popular games including the ones I mentioned.
Don’t do it!
Of course you have to jump through some hoops to install an Android app from a random web site rather than Google Play.
Don’t do this, either
Then you have to grant permission to the app to do all sorts of things that no Angry Bird should ever need to do, like surfing the web and sending SMS messages, but not many people read the fine print when installing Android applications.
Once installed, the trojan initiates a connection to a command and control server. The C&C server replies with both a list of spam target phone numbers as well as the message payload to deliver. After the payload is retrieved the application would duly start SMS spamming, reporting back to the C&C server on each message sent.
The zombie communicates with the C&C server using HTTP. Typically a message and a list of fifty numbers are returned. The zombie waits 1.3 seconds after sending each message, and checks with the C&C server every 65 seconds for more numbers. The application reloads automatically after a reboot as it installs itself as a service on the handset.
We first saw this spammer on October 26th, when the trojan claimed to be anti SMS spam software!
Tired of SMS Spam? Download our free SMS Blocker today to finally rid yourself of unwanted messages! Download now at http://[redacted].com
That attack only lasted one day. Apparently using SMS spam to promote a bogus SMS spam blocking service was not an easy sell. The spammer came back on November 10th, with the free games scam which simply attempts to get the botnet to spread:
Download Grand Theft Auto 3 & Need for Speed Most Wanted for Android phones for free at http://[redacted].mobi for next 24hrs only!
On November 28 the spammer decided to start monetizing. The free game messages continued, but there were also free gift card scam messages mixed in. This is a fairly common sort of SMS spam:
You have just won a $1000 Target Gift Card but only the 1st 777 people that enter code 777 at http://[redacted].com can claim it!
Of course, there are not really any free gift cards, this is just a trick to collect your personal information for affiliate programs and sometimes identity theft.
This stayed as a fairly low volume attack until the end of the week before last, when the spammer decided to ramp up his activities. For a couple of days we saw growth rates of 80% per day, with a peak rate of over half a million SMS messages per day.
To date, the following Trojan apps have been identified:
- needforspeed.apk MD5 = 2e78f497c3b21eed5f303f3bc6740c17
- needforspeed.apk MD5 = bb5cf7c1d7708611fa4a4c5d5b7de9ba
- maxpayne.apk MD5 = 916ae10046bb3c2867ea8bf7da3277bc
- angrybirdstarwarshd.apk MD5 = 86e3fb0e8ca9d562beb714246bf2a2a8
- gta3game.apk MD5 = 86baa16d3e564874fce8546ed02adc67
- grandtheftauto.apk MD5 = 220a24a3f48f5e4897fa4a089df7c284
- angrybirdstarwarsl.apk MD5 = 86e3fb0e8ca9d562beb714246bf2a2a8
- grandtheftauto3l.apk MD5 = 74a87681a0941764f178dc651ee58646
- grandtheftautovicecityl.apk MD5 = 989c0a24f7a2a8153c6cef6061a975c9
- needforspeedl.apk.zip MD5 = cb212a715b6887610bc08c2ff203cd84
These URLs have been used for malware distribution:
- newestgames.mobi
- gamerpalace.mobi
- trendingoffers.com
- holyoffers.com
- gamehaven.mobi
- game-haven.mobi
- freshoffers.mobi
These URLs have been used by the C&C server
- l0rdzs0ldierz.com
- imperialistic.mobi
Compared with PC botnets this was an unsophisticated attack. However, this sort of attack changes the economics of SMS spam, as the spammer no longer has to pay for the messages that are sent if he can use a botnet to cover his costs. Now that we know it can be done, we can expect to see more more complex attacks that are harder to take down. Please help prevent this from becoming a major problem:
- Only install Android apps from Google Play
- When you receive SMS spam, forward it to 7726
Share this with your friends and family, and together we can prevent Android botnets.
We’re continuing to monitor this attack and will update the blog with any breaking news.
Sunday, December 16, 2012 at 17:24 PDT
[...] the article: Cloudmark Blog | Android Trojan Used To Create Simple SMS … Поделиться в соц. сетях (function(d, s, id) { [...]
Tuesday, December 18, 2012 at 07:41 PDT
[...] Conway, ingeniero de Cloudmark, asegura en un post que los operadores todavía están estudiando la manera de tratar con esto que “es bastante [...]
Tuesday, December 18, 2012 at 07:46 PDT
[...] Conway, ingeniero de Cloudmark, asegura en un post que los operadores todavía están estudiando la manera de tratar con esto que “es bastante [...]
Tuesday, December 18, 2012 at 10:36 PDT
[...] The first stage of the campaign to recruit phones to act as spam relays. It involved sending out thousands of messages supposedly offering people free versions of popular Android games, said network security firm Cloudmark in an analysis of the SpamSoldier attack. [...]
Tuesday, December 18, 2012 at 10:43 PDT
[...] The first stage of the campaign to recruit phones to act as spam relays. It involved sending out thousands of messages supposedly offering people free versions of popular Android games, said network security firm Cloudmark in an analysis of the SpamSoldier attack. [...]
Tuesday, December 18, 2012 at 11:14 PDT
[...] The first stage of the campaign to recruit phones to act as spam relays. It involved sending out thousands of messages supposedly offering people free versions of popular Android games, said network security firm Cloudmark in an analysis of the SpamSoldier attack. [...]
Tuesday, December 18, 2012 at 13:41 PDT
[...] The first stage of the campaign to recruit phones to act as spam relays. It involved sending out thousands of messages supposedly offering people free versions of popular Android games, said network security firm Cloudmark in an analysis of the SpamSoldier attack. [...]
Tuesday, December 18, 2012 at 14:04 PDT
[...] http://blog.cloudmark.com/2012/12/16/android-trojan-used-to-create-simple-sms-spam-botnet/ for additional information… Share this:TwitterFacebookLike this:LikeBe the first to like [...]
Tuesday, December 18, 2012 at 14:17 PDT
[...] The first stage of the campaign to recruit phones to act as spam relays. It involved sending out thousands of messages supposedly offering people free versions of popular Android games, said network security firm Cloudmark in an analysis of the SpamSoldier attack. [...]
Tuesday, December 18, 2012 at 14:43 PDT
[...] The first stage of the campaign to recruit phones to act as spam relays. It involved sending out thousands of messages supposedly offering people free versions of popular Android games, said network security firm Cloudmark in an analysis of the SpamSoldier attack. [...]
Tuesday, December 18, 2012 at 14:49 PDT
[...] The first stage of the campaign to recruit phones to act as spam relays. It involved sending out thousands of messages supposedly offering people free versions of popular Android games, said network security firm Cloudmark in an analysis of the SpamSoldier attack. [...]
Tuesday, December 18, 2012 at 15:55 PDT
[...] The first stage of the campaign to recruit phones to act as spam relays. It involved sending out thousands of messages supposedly offering people free versions of popular Android games, said network security firm Cloudmark in an analysis of the SpamSoldier attack. [...]
Tuesday, December 18, 2012 at 16:33 PDT
[...] The first stage of the campaign to recruit phones to act as spam relays. It involved sending out thousands of messages supposedly offering people free versions of popular Android games, said network security firm Cloudmark in an analysis of the SpamSoldier attack. [...]
Tuesday, December 18, 2012 at 17:22 PDT
[...] with PC botnets, this was an unsophisticated attack, » wrote Andrew Conway, a security researcher at Cloudmark. « However, this sort of attack changes the [...]
Tuesday, December 18, 2012 at 17:34 PDT
[...] with PC botnets, this was an unsophisticated attack,” wrote Andrew Conway, a security researcher at Cloudmark. “However, this sort of attack changes the economics of [...]
Tuesday, December 18, 2012 at 21:32 PDT
[...] with PC botnets, this was an unsophisticated attack,” wrote Andrew Conway, a security researcher at Cloudmark. “However, this sort of attack changes the economics of [...]
Tuesday, December 18, 2012 at 22:36 PDT
[...] The first stage of the campaign to recruit phones to act as spam relays. It involved sending out thousands of messages supposedly offering people free versions of popular Android games, said network security firm Cloudmark in an analysis of the SpamSoldier attack. [...]
Tuesday, December 18, 2012 at 23:35 PDT
[...] with PC botnets, this was an unsophisticated attack,” wrote Andrew Conway, a security researcher at Cloudmark. “However, this sort of attack changes the economics of [...]
Wednesday, December 19, 2012 at 00:11 PDT
[...] Cloudmark report here [...]
Wednesday, December 19, 2012 at 01:54 PDT
[...] site in Hong Kong, and consequentially began to spread. But now, experts such as Android Conway of Cloudmark Security are saying that the botnet is spreading, and sometimes posing as an anti-spam blocker. The app is [...]
Wednesday, December 19, 2012 at 05:37 PDT
[...] The infected malware, known as SpamSoldier, has been hiding in free versions of popular Android games, such as the chart-topping Angry Birds, according to security company, Cloudmark. [...]
Wednesday, December 19, 2012 at 05:53 PDT
[...] was « an unsophisticated attack, » Andrew Conway, a security researcher with Cloudmark, wrote on the company blog Dec. 16. An SMS message offering free games or other scams tricks users [...]
Wednesday, December 19, 2012 at 06:03 PDT
[...] The infected malware, known as SpamSoldier, has been hiding in free versions of popular Android games, such as the chart-topping Angry Birds, according to security company, Cloudmark. [...]
Wednesday, December 19, 2012 at 10:12 PDT
[...] 28 November the spammer decided to start monetizing,” Conway explained in a blog post on the SpamSoldier threat. “The free game messages continued, but there were also free gift [...]
Wednesday, December 19, 2012 at 14:45 PDT
[...] The infected malware, known as SpamSoldier, has been hiding in free versions of popular Android games, such as the chart-topping Angry Birds, according to security company, Cloudmark. [...]
Wednesday, December 19, 2012 at 14:57 PDT
[...] 28 November the spammer decided to start monetizing,” Conway explained in a blog post on the SpamSoldier threat. “The free game messages continued, but there were also free gift [...]
Wednesday, December 19, 2012 at 15:02 PDT
[...] blog de Cloudmark Partagez notre page [...]
Wednesday, December 19, 2012 at 16:56 PDT
[...] The infected malware, known as SpamSoldier, has been hiding in free versions of popular Android games, such as the chart-topping Angry Birds, according to security company, Cloudmark. [...]
Wednesday, December 19, 2012 at 17:51 PDT
[...] “You better have an unlimited message plan or your phone bill may come as a bit of a shock,” Cloudmark said in a statement. [...]
Wednesday, December 19, 2012 at 17:53 PDT
[...] blog de [...]
Wednesday, December 19, 2012 at 19:48 PDT
[...] of your mobile phone for the benefit of the malware’s author,” according to an overview of the malwarewritten by Cloudmark lead software engineer Andrew [...]
Wednesday, December 19, 2012 at 20:29 PDT
[...] On December 20, 2012, in Game News & Reviews, by admin In a report released last Sunday, the network security firm Cloudmark identified a number of malicious mobile [...]
Wednesday, December 19, 2012 at 20:29 PDT
[...] 28 November the spammer decided to start monetizing,” Conway explained in a blog post on the SpamSoldier threat. “The free game messages continued, but there were also free gift [...]
Thursday, December 20, 2012 at 00:46 PDT
[...] Botnets, Mobile, SMS / Texting, SMS Fraud. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own [...]
Thursday, December 20, 2012 at 10:49 PDT
[...] [via Cloudmark] [...]
Saturday, December 22, 2012 at 18:29 PDT
[...] a report released last Sunday, the network security firm Cloudmark identified a number of malicious mobile [...]
Sunday, December 23, 2012 at 09:28 PDT
[...] εταιρεία Cloudmark προειδοποίησε πρόσφατα για τον «δούρειο ίππο» Pikspam, o oποίος [...]
Sunday, December 23, 2012 at 10:34 PDT
[...] According to security expert Andrew Conway, the malicious software is set up to use infected devices “to silently send out thousands of spam SMS messages without your permission to lists of victim phone numbers that the malware automatically downloads from a command and control server.” (Source: cloudmark.com) [...]
Sunday, December 23, 2012 at 11:16 PDT
[...] You may want to check this out. [...]
Sunday, December 23, 2012 at 18:37 PDT
[...] εταιρεία Cloudmark προειδοποίησε πρόσφατα για τον «δούρειο ίππο» Pikspam, o oποίος [...]
Sunday, December 23, 2012 at 22:21 PDT
[...] Cloudmark 社によって最近検出された Android 用の SMS スパムが、メディアの注目を集めています(シマンテックでは Android.Pikspam として検出されます)。ボットネットによるスパムの拡散はもはや珍しくもありませんが、サイバー犯罪者にとってはモバイルテクノロジが新たな攻撃経路となっており、ソーシャルエンジニアリングやスパムといった定番の攻撃手法がモバイルデバイスに対しても有効になってきています。 [...]
Monday, December 24, 2012 at 03:04 PDT
[...] εταιρεία Cloudmark προειδοποίησε πρόσφατα για τον «δούρειο ίππο» Pikspam, o oποίος [...]
Tuesday, December 25, 2012 at 06:40 PDT
[...] principal use is the SMS spamming according security researches of the two US security firms, Cloudmark and Lookout Mobile Security that discovered the malicious architecture in [...]
Tuesday, December 25, 2012 at 09:53 PDT
[...] principal use is the SMS spamming according security researches of the two US security firms, Cloudmark and Lookout Mobile Security that discovered the malicious architecture in [...]
Wednesday, December 26, 2012 at 00:29 PDT
[...] εταιρεία Cloudmark προειδοποίησε πρόσφατα για τον «δούρειο ίππο» Pikspam, o oποίος [...]
Wednesday, December 26, 2012 at 02:48 PDT
[...] http://blog.cloudmark.com/2012/12/16/android-trojan-used-to-create-simple-sms-spam-botnet/ Share this:TwitterFacebookLike this:LikeBe the first to like [...]
Wednesday, December 26, 2012 at 02:48 PDT
[...] http://blog.cloudmark.com/2012/12/16/android-trojan-used-to-create-simple-sms-spam-botnet/ Share this:TwitterFacebookLike this:LikeBe the first to like [...]
Wednesday, December 26, 2012 at 21:14 PDT
[...] καταγραφή κρουσμάτων σε συσκευές Android.H εταιρεία Cloudmark προειδοποίησε πρόσφατα για τον «δούρειο ίππο» Pikspam, o oποίος [...]
Thursday, December 27, 2012 at 07:19 PDT
[...] a case that appeared recently with a discovery made by Andrew Conway of Cloudmark Inc. – shows that even a relatively simple attack can still be effective on [...]
Thursday, December 27, 2012 at 08:30 PDT
[...] users to download a putrescent apps,” pronounced Andrew Conway, researcher during Cloudmark, in a blog. “If we do download this spamvertised focus and implement it on your Android handset, we might be [...]
Wednesday, January 02, 2013 at 13:20 PDT
[...] DetailsConsistent with CloudMark’s analysis, we’ve seen a number of different spam campaigns active. Examples [...]
Sunday, March 24, 2013 at 19:52 PDT
[...] You can find a list of identified Trojan apps and distribution URLs along with Conway’s write-up. [...]