Android botnet detected on all major mobile networks

Share this article:

Spammers have amassed the first-known Android botnet, consisting of compromised devices running on all the major U.S. mobile networks, and it's being used to deliver SMS spam, researchers said this week.

Spotted in early December by two San Francisco-based security firms, Cloudmark and Lookout Mobile Security, the botnet grows when users unwittingly install a malicious game application that contains the SpamSoldier trojan. Infected devices then communicates with a command-and-control server, receiving instructions to send SMS messages to more than 100 phone numbers.

After texting those numbers, infected phones get a new list of targets within about a minute. The malware also blocks incoming and outgoing texts from unknown numbers, in case users or mobile service providers try to alert victims of their spamming.

Andrew Conway, a researcher at Cloudmark, told SCMagazine.com Tuesday that the botnet's orchestrators are likely making money through a variety of strategies, including sending out links to claim bogus gift cards, but which actually lead to rogue marketing sites that request personal information.

Conway said this botnet has “changed the economics” of spamming campaigns.

“The typical SMS spamming technique is that a spammer will go to the grocery store, buy some prepaid SIM [subscriber identity module] cards and [use] them to send out spam messages,” Conway said. “We think the spammers are getting less and less value for money out of that approach as the industry catches on to that.”

In the SpamSoldier campaign, the fraudsters make their victims shoulder the cost of spamming, Conway explained. While he described the botnet as “primitive” compared to those that fester among infected endpoints in the traditional PC environment, the tactic may demonstrate a future model to be taken up by attackers.

So far, Cloudmark researchers have detected more than 800 phone numbers sending out the spam, and they believe the total number of infected devices is around 1,000. Verizon, AT&T, Sprint and T-Mobile were among the U.S. carriers where SpamSoldier messages were seen entering and leaving the networks.  

A Monday blog post at Lookout, written by senior product manager Derek Halliday, confirmed that occurrences of the malware remained low, but that the impact could be greater if left undetected by users or carriers.

“The primary negative impact appears to be the large amount of SMS messages sent and the potential this has to result in charges to the user and/or a slowdown of the carrier's network," Halliday wrote.

And carriers may be slow to address or detect the issue, Conway said.

“Depending on your carrier, the standard procedure is to block all text messages from your phone if you are sending out spam messages,” he added.

A spokesperson for Google, which owns Android, declined to comment on the record.

Back in July, conflicting reports about the existence of a spam botnet on Android devices surfaced, but Google quickly denied those claims, and it was eventually determined that the spammers were using infected computers and a fake mobile signature to abuse a Yahoo Mail app for Android devices. 

Share this article:
You must be a registered member of SC Magazine to post a comment.

Sign up to our newsletters

More in News

CryptoWall surpasses CryptoLocker in infection rates

CryptoWall surpasses CryptoLocker in infection rates

A threat analysis from Dell SecureWorks CTU says that CryptoWall has picked up where its famous sibling left off.

Professor says Google search, not hacking, yielded medical info

Professor says Google search, not hacking, yielded medical ...

A professor of ethical hacking at City College San Francisco came forward to clarify that he did not demonstrate hacking a medical center's server in a class.

Syrian Malware Team makes use of enhanced BlackWorm RAT

Syrian Malware Team makes use of enhanced BlackWorm ...

FireEye analyzed the hacking group's use of the malware, dubbed the "Dark Edition" of BlackWorm.