Android trojan sends premium SMS messages, targets U.S. users for first time

Share this article:
Researcher finds way to commandeer any Facebook account from his mobile phone
An SMS trojan for Android has been observed sending premium SMS messages to users all over the world.

The security experts with Kaspersky Lab have identified what they believe to be the first active SMS trojan ringing up premium charges for Android users in the United States.

The malware is named ‘Trojan-SMS.AndroidOS.FakeInst.ef' – or FakeInst – and is capable of sending premium-rate SMS messages, as well as enabling an attacker to steal, delete and respond to SMS messages, Roman Unuchek, senior malware analyst with Kaspersky Lab, told on Wednesday.

That it impacts U.S. users is a first for active SMS trojans, according to a Wednesday post by Unuchek, which adds that Canada, Mexico, France, Spain, Sweden, Greece, Czech Republic, Switzerland, Poland, and Italy are just some of the 66 locations around the world that round out the support list.

“We haven't seen this sort of malware before in the U.S.,” Unuchek said. “Apparently, the cybercriminals have played enough in “sandbox,” acquiring experience and collecting resources. Now they want more [and] they are ready for expansion.”

In order to spread the infection, attackers are luring users to phishing websites with promises of a classic internet attraction – pornography.

In an example, Unuchek said a victim may end up compromised after unwittingly landing on a phishing page when browsing the internet for adult material. He explained that the user would then be asked to download a malicious application said to be used for viewing the sexual content.

Upon installation and after consenting to sending a text message to obtain the adult content, the trojan decrypts a configuration file containing the premium phone numbers and sends out SMS messages – at about $2 a pop – depending on the user's location.

The malware authors are likely from Russia because early versions were only operable in the country, Unuchek wrote in his post, also stating that the command-and-control servers are registered with and hosted by Russian providers. Additionally, the majority of infections have been observed in Russia, as well as Canada.

Common sense will help defend against this type of attack.

“Do not install apps from unofficial stores,” Unuchek said. “If a porn website tells you to install an application, you better not do this. And, of course, users should use mobile anti-virus.”

Share this article:
You must be a registered member of SC Magazine to post a comment.

Sign up to our newsletters

More in News

Researchers observe more than a hundred connections to 'Backoff' sinkhole

Researchers with Kaspersky Lab were able to sinkhole two command-and-control servers used by certain Backoff point-of-sale malware samples.

Judge lifts stay but Microsoft won't hand over emails during appeal

A judge has lifted a suspension of a previous order compelling Microsoft to hand over customer emails stored on a server in Ireland.

Home Depot investigates possible payment card breach

Home Depot investigates possible payment card breach

Home Depot said on Tuesday that it is working with its banking partners and law enforcement to investigate a possible data breach.