Android trojan sends premium SMS messages, targets U.S. users for first time

Share this article:
Researcher finds way to commandeer any Facebook account from his mobile phone
An SMS trojan for Android has been observed sending premium SMS messages to users all over the world.

The security experts with Kaspersky Lab have identified what they believe to be the first active SMS trojan ringing up premium charges for Android users in the United States.

The malware is named ‘Trojan-SMS.AndroidOS.FakeInst.ef' – or FakeInst – and is capable of sending premium-rate SMS messages, as well as enabling an attacker to steal, delete and respond to SMS messages, Roman Unuchek, senior malware analyst with Kaspersky Lab, told SCMagazine.com on Wednesday.

That it impacts U.S. users is a first for active SMS trojans, according to a Wednesday post by Unuchek, which adds that Canada, Mexico, France, Spain, Sweden, Greece, Czech Republic, Switzerland, Poland, and Italy are just some of the 66 locations around the world that round out the support list.

“We haven't seen this sort of malware before in the U.S.,” Unuchek said. “Apparently, the cybercriminals have played enough in “sandbox,” acquiring experience and collecting resources. Now they want more [and] they are ready for expansion.”

In order to spread the infection, attackers are luring users to phishing websites with promises of a classic internet attraction – pornography.

In an example, Unuchek said a victim may end up compromised after unwittingly landing on a phishing page when browsing the internet for adult material. He explained that the user would then be asked to download a malicious application said to be used for viewing the sexual content.

Upon installation and after consenting to sending a text message to obtain the adult content, the trojan decrypts a configuration file containing the premium phone numbers and sends out SMS messages – at about $2 a pop – depending on the user's location.

The malware authors are likely from Russia because early versions were only operable in the country, Unuchek wrote in his post, also stating that the command-and-control servers are registered with and hosted by Russian providers. Additionally, the majority of infections have been observed in Russia, as well as Canada.

Common sense will help defend against this type of attack.

“Do not install apps from unofficial stores,” Unuchek said. “If a porn website tells you to install an application, you better not do this. And, of course, users should use mobile anti-virus.”

Share this article:

Sign up to our newsletters

More in News

Latest Citadel trick allows RDP access after malware's removal

Latest Citadel trick allows RDP access after malware's ...

Trusteer, an IBM company, said the new Citadel configuration was detected this month.

Cryptoblocker variant emerges, encryption differs from CryptoLocker

Trend Micro has detected a variant of CryptoLocker in the wild that relies on the advanced encryption standard.

Jimmy John's sandwich chain investigating possible breach

Some financial institutions have indicated that credit cards recently used at Jimmy John's locations have been used to make fraudulent purchases.