Android botnet detected on all major mobile networks

Share this article:

Spammers have amassed the first-known Android botnet, consisting of compromised devices running on all the major U.S. mobile networks, and it's being used to deliver SMS spam, researchers said this week.

Spotted in early December by two San Francisco-based security firms, Cloudmark and Lookout Mobile Security, the botnet grows when users unwittingly install a malicious game application that contains the SpamSoldier trojan. Infected devices then communicates with a command-and-control server, receiving instructions to send SMS messages to more than 100 phone numbers.

After texting those numbers, infected phones get a new list of targets within about a minute. The malware also blocks incoming and outgoing texts from unknown numbers, in case users or mobile service providers try to alert victims of their spamming.

Andrew Conway, a researcher at Cloudmark, told SCMagazine.com Tuesday that the botnet's orchestrators are likely making money through a variety of strategies, including sending out links to claim bogus gift cards, but which actually lead to rogue marketing sites that request personal information.

Conway said this botnet has “changed the economics” of spamming campaigns.

“The typical SMS spamming technique is that a spammer will go to the grocery store, buy some prepaid SIM [subscriber identity module] cards and [use] them to send out spam messages,” Conway said. “We think the spammers are getting less and less value for money out of that approach as the industry catches on to that.”

In the SpamSoldier campaign, the fraudsters make their victims shoulder the cost of spamming, Conway explained. While he described the botnet as “primitive” compared to those that fester among infected endpoints in the traditional PC environment, the tactic may demonstrate a future model to be taken up by attackers.

So far, Cloudmark researchers have detected more than 800 phone numbers sending out the spam, and they believe the total number of infected devices is around 1,000. Verizon, AT&T, Sprint and T-Mobile were among the U.S. carriers where SpamSoldier messages were seen entering and leaving the networks.  

A Monday blog post at Lookout, written by senior product manager Derek Halliday, confirmed that occurrences of the malware remained low, but that the impact could be greater if left undetected by users or carriers.

“The primary negative impact appears to be the large amount of SMS messages sent and the potential this has to result in charges to the user and/or a slowdown of the carrier's network," Halliday wrote.

And carriers may be slow to address or detect the issue, Conway said.

“Depending on your carrier, the standard procedure is to block all text messages from your phone if you are sending out spam messages,” he added.

A spokesperson for Google, which owns Android, declined to comment on the record.

Back in July, conflicting reports about the existence of a spam botnet on Android devices surfaced, but Google quickly denied those claims, and it was eventually determined that the spammers were using infected computers and a fake mobile signature to abuse a Yahoo Mail app for Android devices. 

Share this article:

Sign up to our newsletters

More in News

Two plead guilty for roles in separate Android app piracy groups

Two members of different Android app piracy groups pleaded guilty this week to conspiracy to commit criminal copyright infringement.

Study: Eighteen percent of online adults have had personal info stolen

About 18 percent of online adults have had personal information stolen, and more than 20 percent had an email or social networking account compromised.

Pentagon to triple its security workforce by 2016

Pentagon to triple its security workforce by 2016

Defense Secretary Chuck Hagel recently announced the recruitment efforts during a speech in Fort Meade, Md.