Android Trojan Used To Create Simple SMS Spam Botnet

A new crop of trojan mobile applications are demonstrating simple mobile botnet behavior, leveraging infected handsets to spread spam and invitations for other users to download the infected apps. This new evolution of malicious mobile applications is presently being monitored by the Cloudmark mobile security research team who had been investigating a strong uptick in mobile originated spam over the past week. A random invitation received via SMS to download a free version of a popular Android game like The Need for Speed Most Wanted or Angry Birds Star Wars may seem enticing, but as your intuition may hint the offer is often times too good to be true.   If you do download this “spamvertised” application and install it on your Android handset, you may be unknowingly loading a malicious software application on your phone which will induct your handset into a simple botnet, one that leverages the resources of your mobile phone for the benefit of the malware’s author.  In the case of this latest batch of SMS sending malware that the Cloudmark Research team has been monitoring, your phone will be used to silently send out thousands of spam SMS messages without your permission to lists of victim phone numbers that the malware automatically downloads from a command and control server.  You better have an unlimited message plan or your phone bill may come as a bit of a shock. The trojan apps were downloaded from sites on a server in Hong Kong offering free games. They claimed to be copies of popular games including the ones I mentioned. [caption id="attachment_2252" align="aligncenter" width="224"]

Don't do it![/caption] Of course you have to jump through some hoops to install an Android app from a random web site rather than Google Play. [caption id="attachment_2251" align="aligncenter" width="224"] Don't do this, either[/caption] Then you have to grant permission to the app to do all sorts of things that no Angry Bird should ever need to do, like surfing the web and sending SMS messages, but not many people read the fine print when installing Android applications. Once installed, the trojan initiates a connection to a command and control server. The C&C server replies with both a list of spam target phone numbers as well as the message payload to deliver.  After the payload is retrieved the application would duly start SMS spamming, reporting back to the C&C server on each message sent. The zombie communicates with the C&C server using HTTP. Typically a message and a list of fifty numbers are returned. The zombie waits 1.3 seconds after sending each message, and checks with the C&C server every 65 seconds for more numbers. The application reloads automatically after a reboot as it installs itself as a service on the handset. We first saw this spammer on October 26th, when the trojan claimed to be anti SMS spam software!

Tired of SMS Spam? Download our free SMS Blocker today to finally rid yourself of unwanted messages! Download now at http://[redacted].com

That attack only lasted one day. Apparently using SMS spam to promote a bogus SMS spam blocking service was not an easy sell. The spammer came back on November 10th, with the free games scam which simply attempts to get the botnet to spread:

Download Grand Theft Auto 3 & Need for Speed Most Wanted for Android phones for free at http://[redacted].mobi for next 24hrs only!

On November 28 the spammer decided to start monetizing. The free game messages continued, but there were also free gift card scam messages mixed in. This is a fairly common sort of SMS spam:

You have just won a $1000 Target Gift Card but only the 1st 777 people that enter code 777 at http://[redacted].com can claim it!

Of course, there are not really any free gift cards, this is just a trick to collect your personal information for affiliate programs and sometimes identity theft. [tweet_box]Only install Android apps from Google Play[/tweet_box] This stayed as a fairly low volume attack until the end of the week before last, when the spammer decided to ramp up his activities. For a couple of days we saw growth rates of 80% per day, with a peak rate of over half a million SMS messages per day. To date, the following Trojan apps have been identified:

• needforspeed.apk MD5 = 2e78f497c3b21eed5f303f3bc6740c17
• needforspeed.apk MD5 = bb5cf7c1d7708611fa4a4c5d5b7de9ba
• maxpayne.apk MD5 = 916ae10046bb3c2867ea8bf7da3277bc
• angrybirdstarwarshd.apk MD5 = 86e3fb0e8ca9d562beb714246bf2a2a8
• gta3game.apk MD5 = 86baa16d3e564874fce8546ed02adc67
• grandtheftauto.apk MD5 = 220a24a3f48f5e4897fa4a089df7c284
• angrybirdstarwarsl.apk MD5 = 86e3fb0e8ca9d562beb714246bf2a2a8
• grandtheftauto3l.apk MD5 = 74a87681a0941764f178dc651ee58646
• grandtheftautovicecityl.apk MD5 = 989c0a24f7a2a8153c6cef6061a975c9
• needforspeedl.apk.zip MD5 = cb212a715b6887610bc08c2ff203cd84

These URLs have been used for malware distribution:

• newestgames.mobi
• gamerpalace.mobi
• trendingoffers.com
• holyoffers.com
• gamehaven.mobi
• game-haven.mobi
• freshoffers.mobi

These URLs have been used by the C&C server

• l0rdzs0ldierz.com
• imperialistic.mobi

Compared with PC botnets this was an unsophisticated attack. However, this sort of attack changes the economics of SMS spam, as the spammer no longer has to pay for the messages that are sent if he can use a botnet to cover his costs. Now that we know it can be done, we can expect to see more more complex attacks that are harder to take down. Please help prevent this from becoming a major problem:

• Only install Android apps from Google Play
• When you receive SMS spam, forward it to 7726

Share this with your friends and family, and together we can prevent Android botnets. [tweet_box]When you receive SMS spam, forward it to 7726[/tweet_box] We're continuing to monitor this attack and will update the blog with any breaking news.