Android botnet detected on all major mobile networks

Share this article:

Spammers have amassed the first-known Android botnet, consisting of compromised devices running on all the major U.S. mobile networks, and it's being used to deliver SMS spam, researchers said this week.

Spotted in early December by two San Francisco-based security firms, Cloudmark and Lookout Mobile Security, the botnet grows when users unwittingly install a malicious game application that contains the SpamSoldier trojan. Infected devices then communicates with a command-and-control server, receiving instructions to send SMS messages to more than 100 phone numbers.

After texting those numbers, infected phones get a new list of targets within about a minute. The malware also blocks incoming and outgoing texts from unknown numbers, in case users or mobile service providers try to alert victims of their spamming.

Andrew Conway, a researcher at Cloudmark, told SCMagazine.com Tuesday that the botnet's orchestrators are likely making money through a variety of strategies, including sending out links to claim bogus gift cards, but which actually lead to rogue marketing sites that request personal information.

Conway said this botnet has “changed the economics” of spamming campaigns.

“The typical SMS spamming technique is that a spammer will go to the grocery store, buy some prepaid SIM [subscriber identity module] cards and [use] them to send out spam messages,” Conway said. “We think the spammers are getting less and less value for money out of that approach as the industry catches on to that.”

In the SpamSoldier campaign, the fraudsters make their victims shoulder the cost of spamming, Conway explained. While he described the botnet as “primitive” compared to those that fester among infected endpoints in the traditional PC environment, the tactic may demonstrate a future model to be taken up by attackers.

So far, Cloudmark researchers have detected more than 800 phone numbers sending out the spam, and they believe the total number of infected devices is around 1,000. Verizon, AT&T, Sprint and T-Mobile were among the U.S. carriers where SpamSoldier messages were seen entering and leaving the networks.  

A Monday blog post at Lookout, written by senior product manager Derek Halliday, confirmed that occurrences of the malware remained low, but that the impact could be greater if left undetected by users or carriers.

“The primary negative impact appears to be the large amount of SMS messages sent and the potential this has to result in charges to the user and/or a slowdown of the carrier's network," Halliday wrote.

And carriers may be slow to address or detect the issue, Conway said.

“Depending on your carrier, the standard procedure is to block all text messages from your phone if you are sending out spam messages,” he added.

A spokesperson for Google, which owns Android, declined to comment on the record.

Back in July, conflicting reports about the existence of a spam botnet on Android devices surfaced, but Google quickly denied those claims, and it was eventually determined that the spammers were using infected computers and a fake mobile signature to abuse a Yahoo Mail app for Android devices. 

Share this article:
You must be a registered member of SC Magazine to post a comment.

Sign up to our newsletters

More in News

Reported breaches involving zero-day bug at JPMorgan Chase, other banks

Reported breaches involving zero-day bug at JPMorgan Chase, ...

Hackers exploited a zero-day vulnerability and gained access to sensitive information from JPMorgan Chase and at least four other financial institutions, reports indicate.

Data on 97K Bugzilla users posted online for about three months

During a migration of the testing server for test builds of Bugzilla software, data on about 97,000 Bugzilla users was inadvertently posted publicly online.

Chinese national had access to data on 5M Arizona drivers, possible breach ...

Although Lizhong Fan left the U.S. in 2007, the agencies responsible for giving him access to Americans' personal information have yet to disclose the details of the case to the public.