Android trojan sends premium SMS messages, targets U.S. users for first time

Share this article:
Researcher finds way to commandeer any Facebook account from his mobile phone
An SMS trojan for Android has been observed sending premium SMS messages to users all over the world.

The security experts with Kaspersky Lab have identified what they believe to be the first active SMS trojan ringing up premium charges for Android users in the United States.

The malware is named ‘Trojan-SMS.AndroidOS.FakeInst.ef' – or FakeInst – and is capable of sending premium-rate SMS messages, as well as enabling an attacker to steal, delete and respond to SMS messages, Roman Unuchek, senior malware analyst with Kaspersky Lab, told SCMagazine.com on Wednesday.

That it impacts U.S. users is a first for active SMS trojans, according to a Wednesday post by Unuchek, which adds that Canada, Mexico, France, Spain, Sweden, Greece, Czech Republic, Switzerland, Poland, and Italy are just some of the 66 locations around the world that round out the support list.

“We haven't seen this sort of malware before in the U.S.,” Unuchek said. “Apparently, the cybercriminals have played enough in “sandbox,” acquiring experience and collecting resources. Now they want more [and] they are ready for expansion.”

In order to spread the infection, attackers are luring users to phishing websites with promises of a classic internet attraction – pornography.

In an example, Unuchek said a victim may end up compromised after unwittingly landing on a phishing page when browsing the internet for adult material. He explained that the user would then be asked to download a malicious application said to be used for viewing the sexual content.

Upon installation and after consenting to sending a text message to obtain the adult content, the trojan decrypts a configuration file containing the premium phone numbers and sends out SMS messages – at about $2 a pop – depending on the user's location.

The malware authors are likely from Russia because early versions were only operable in the country, Unuchek wrote in his post, also stating that the command-and-control servers are registered with and hosted by Russian providers. Additionally, the majority of infections have been observed in Russia, as well as Canada.

Common sense will help defend against this type of attack.

“Do not install apps from unofficial stores,” Unuchek said. “If a porn website tells you to install an application, you better not do this. And, of course, users should use mobile anti-virus.”

Share this article:
You must be a registered member of SC Magazine to post a comment.

Sign up to our newsletters

TOP COMMENTS

More in News

ShellShock vulnerability exploited in SMTP servers

Researchers at Trend Micro found that attackers were targeting Simple Mail Transfer Protocol (SMTP) servers to execute malicious code and an IRC bot.

Hackers grab email addresses of CurrentC pilot participants

Hackers grab email addresses of CurrentC pilot participants

Although the hack didn't breach the mobile payment app itself, consumer confidence may be shaken.

Operators disable firewall features to increase network performance, survey finds

Operators disable firewall features to increase network performance, ...

McAfee found that 60 percent of 504 surveyed IT professionals prioritize security as the primary driver of network design.