Android botnet detected on all major mobile networks

Share this article:

Spammers have amassed the first-known Android botnet, consisting of compromised devices running on all the major U.S. mobile networks, and it's being used to deliver SMS spam, researchers said this week.

Spotted in early December by two San Francisco-based security firms, Cloudmark and Lookout Mobile Security, the botnet grows when users unwittingly install a malicious game application that contains the SpamSoldier trojan. Infected devices then communicates with a command-and-control server, receiving instructions to send SMS messages to more than 100 phone numbers.

After texting those numbers, infected phones get a new list of targets within about a minute. The malware also blocks incoming and outgoing texts from unknown numbers, in case users or mobile service providers try to alert victims of their spamming.

Andrew Conway, a researcher at Cloudmark, told SCMagazine.com Tuesday that the botnet's orchestrators are likely making money through a variety of strategies, including sending out links to claim bogus gift cards, but which actually lead to rogue marketing sites that request personal information.

Conway said this botnet has “changed the economics” of spamming campaigns.

“The typical SMS spamming technique is that a spammer will go to the grocery store, buy some prepaid SIM [subscriber identity module] cards and [use] them to send out spam messages,” Conway said. “We think the spammers are getting less and less value for money out of that approach as the industry catches on to that.”

In the SpamSoldier campaign, the fraudsters make their victims shoulder the cost of spamming, Conway explained. While he described the botnet as “primitive” compared to those that fester among infected endpoints in the traditional PC environment, the tactic may demonstrate a future model to be taken up by attackers.

So far, Cloudmark researchers have detected more than 800 phone numbers sending out the spam, and they believe the total number of infected devices is around 1,000. Verizon, AT&T, Sprint and T-Mobile were among the U.S. carriers where SpamSoldier messages were seen entering and leaving the networks.  

A Monday blog post at Lookout, written by senior product manager Derek Halliday, confirmed that occurrences of the malware remained low, but that the impact could be greater if left undetected by users or carriers.

“The primary negative impact appears to be the large amount of SMS messages sent and the potential this has to result in charges to the user and/or a slowdown of the carrier's network," Halliday wrote.

And carriers may be slow to address or detect the issue, Conway said.

“Depending on your carrier, the standard procedure is to block all text messages from your phone if you are sending out spam messages,” he added.

A spokesperson for Google, which owns Android, declined to comment on the record.

Back in July, conflicting reports about the existence of a spam botnet on Android devices surfaced, but Google quickly denied those claims, and it was eventually determined that the spammers were using infected computers and a fake mobile signature to abuse a Yahoo Mail app for Android devices. 

Share this article:

Sign up to our newsletters

More in News

Leahy bill would end bulk data collection, introduce reforms

Leahy bill would end bulk data collection, introduce ...

Sen. Patrick Leahy introduced an NSA reform bill that would update the USA Freedom Act.

House passes two cyber security bills

One bill aims to improve agencies' website security, while another works to thwart critical infrastructure attacks.

A five-month-long Tor attack attempting to 'deanonymize' users

For roughly five months beginning in January, traffic confirmation attacks were used to attempt to "deanonymize" Tor users.