Android Targeted By SMS-Grabbing Malware - InformationWeek

InformationWeek is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


Android Targeted By SMS-Grabbing Malware

The fake software is disguised as legitimate security applications and reroutes SMS messages to Web servers.

Lookout Mobile Security Protects Android Smartphones
Slideshow: Lookout Mobile Security Protects Android Smartphones
(click image for larger view and for slideshow)
Security researchers have reported finding an early test build of SMS-grabbing malware designed to resemble a legitimate Android security application.

In particular, the Android malware attempts to fool users into installing it by trying to disguise itself as Mobile Security 9, which is legitimate mobile antivirus software from Kaspersky Lab. "The application package uses an icon similar to the Kaspersky Lab icon, but the actual functionality is far less useful than the functionality of the legitimate product," said Vanja Svajcer, a principal virus researcher at SophosLabs, who detailed the rogue application in a blog post.

"When the package is launched, the malware attempts to get the unique device ID number and transform it into an 'activation code.' The fake activation code is then displayed in a standard Android view," he said. "In the background, the application installs a broadcast receiver that attempts to intercept SMS messages and send them to a Web server set up by the attacker."

That makes the attack sound like a variation on the recently discovered Trojan spyware application Zitmo. But Svajcer said that while the functionality is similar, the malware's code doesn't provide conclusive proof of their having been developed by the same person or criminal gang.

Zitmo, which began appearing in mid-June, was disguised as an application named TrustMobile, which was available via the official Android Market. "The application has already been removed but, as it was in previous cases of malware in the Android Market, there are mirroring websites which save the information about all the programs approved by Google," said Denis Maslennikov, a security researcher at Kaspersky Lab, in a blog post.

Zitmo is short for Zeus-in-the-mobile, in reference to the mobile malware's tie-in to the Zeus crimeware kit and related botnets favored by criminals who target people's personal financial details. "Now we have Zitmo targeting four platforms: Symbian, Windows Mobile, Blackberry, and Android," said Maslennikov.

As with the fake Kasperksy application, Zitmo resembled an actual mobile security application--in this case, Trusteer Rapport. Beyond using Android Market, Maslennikov said that attackers also attempted to sneak it onto people's smartphones via related malware, which would launch when the user visited a banking website. At that point, the malware, disguised as a Trusteer security message, would ask the user to install a "new mobile app which protects your phone while working with online banking," and then query the mobile operating system their phone used. If the user selected "Android," they would be redirected to a website that hosts the malicious Android application, and asked to download and install it.

Black Hat USA 2011 presents a unique opportunity for members of the security industry to gather and discuss the latest in cutting-edge research. It happens July 30-Aug. 4 in Las Vegas. Find out more and register.

We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.
Comment  | 
Print  | 
More Insights
10 Ways to Prepare Your IT Organization for the Next Crisis
Cynthia Harvey, Freelance Journalist, InformationWeek,  5/20/2020
IT Spending Forecast: Unfortunately, It's Going to Hurt
Jessica Davis, Senior Editor, Enterprise Apps,  5/15/2020
Helping Developers and Enterprises Answer the Skills Dilemma
Joao-Pierre S. Ruth, Senior Writer,  5/19/2020
White Papers
Register for InformationWeek Newsletters
The State of IT & Cybersecurity Operations 2020
The State of IT & Cybersecurity Operations 2020
Download this report from InformationWeek, in partnership with Dark Reading, to learn more about how today's IT operations teams work with cybersecurity operations, what technologies they are using, and how they communicate and share responsibility--or create risk by failing to do so. Get it now!
Current Issue
Key to Cloud Success: The Right Management
This IT Trend highlights some of the steps IT teams can take to keep their cloud environments running in a safe, efficient manner.
Flash Poll