A pair of Android Trojans intercepts incoming SMS communications, leaving users unaware that something is wrong with their device.
Security researchers have
come across a new Android Trojan that sends Short Message Service communications
to prime-rate numbers. This comes shortly after reports emerged that the Zeus
gang has come up with an Android version of their banking malware.
Known as HippoSMS, the
latest Trojan is sophisticated enough to automatically send SMS communications
to expensive phone numbers and to prevent the carriers from notifying users of
the charges incurred, researchers at North Carolina State
University discovered July 10. The researchers came across HippoSMS in
alternative Android markets in China. There have been no reports as of yet of
this Trojan appearing in Google's official Android Market.
HippoSMS is embedded inside
an application that looks legitimate, the researchers found, and activates as
soon as the application is installed on the Android device, researchers found.
A number of malware-tainted Android applications recently have been distributed
this way, with legitimate applications being recompiled with malicious code,
such as DroidDream in March and DroidDream
Light in May.
shows that HippoSMS directly piggybacks the host app so that when the app is
launched, it will immediately activate one service to send SMS messages to a
hard-coded premium-rated number," wrote Xuxian Jiang, an assistant
professor in the computer science department at NC State.
The malware then monitors
incoming SMS communications and deletes all messages that come from mobile-service
providers. Providers typically send users notification messages about the
user's account, such as the current balance. By deleting the messages, the
Trojan ensures the user doesn't find out about the costly text messages until
the bill arrives.
As threats go, HippSMS is
fairly limited as it affects only users in China and the malware is hard-coded
to send messages to a specific number. This kind of mobile malware that sends
stealthy text messages to expensive prime-rate numbers is a serious problem in
Russia, China and the Ukraine, where it's easy to rent out these numbers, Denis
Maslennikov, a senior malware analyst at Kaspersky Lab, told eWEEK.
As new SMS malware makes the
researchers claimed that recently identified banking malware was linked to
the gang behind the Zeus Trojan. A malicious application masquerading as an
Android version of the Trusteer Rapport banking-security tool, this Trojan was
distributed by a Web server that pushed out Zbot, the mobile Zeus variant, for
other platforms as well.
The installed application
uses a stolen Rapport icon and intercepts all received SMS communications on
the device. The messages are also encoded and forwarded onto a different
server. Despite the capabilities and the originating Web server, the Trojan's
lack of sophistication makes it hard to determine whether it was part of the
Zeus kit, Vanja Svajcer, a principal virus researcher in SophosLabs, wrote on
NakedSecurity blog. For example, the command-and-control server's address
was hard-coded in the source code, making the Trojan "quite
inflexible," Svajcer found.
"We cannot be 100% sure
that this is indeed a part of the Zeus kit," Svajcer said.
The fake Trusteer Rapport
application "doesn't fit the Zeus MO [modus operandi]," Roel
Schouwenberg, senior antivirus researcher at Kaspersky Lab, told eWEEK. The Zeus kit is designed to be
efficient, and malware that intercepts all text messages doesn't fit the
profile because the cyber-criminal will have to do a lot of digging to find the
relevant banking messages, Schouwenberg said. If this had been from the
"Zeus guys" they would have at least taken "some rough edges
off," he said.
There are currently Zeus
variants for Symbian, Windows Mobile and Blackberry
phones in the wild. One of the characteristics for the mobile Trojan is its
ability to intercept SMS communications from financial institutions to steal