Android trojan sends premium SMS messages, targets U.S. users for first time

Share this article:
Researcher finds way to commandeer any Facebook account from his mobile phone
An SMS trojan for Android has been observed sending premium SMS messages to users all over the world.

The security experts with Kaspersky Lab have identified what they believe to be the first active SMS trojan ringing up premium charges for Android users in the United States.

The malware is named ‘Trojan-SMS.AndroidOS.FakeInst.ef' – or FakeInst – and is capable of sending premium-rate SMS messages, as well as enabling an attacker to steal, delete and respond to SMS messages, Roman Unuchek, senior malware analyst with Kaspersky Lab, told SCMagazine.com on Wednesday.

That it impacts U.S. users is a first for active SMS trojans, according to a Wednesday post by Unuchek, which adds that Canada, Mexico, France, Spain, Sweden, Greece, Czech Republic, Switzerland, Poland, and Italy are just some of the 66 locations around the world that round out the support list.

“We haven't seen this sort of malware before in the U.S.,” Unuchek said. “Apparently, the cybercriminals have played enough in “sandbox,” acquiring experience and collecting resources. Now they want more [and] they are ready for expansion.”

In order to spread the infection, attackers are luring users to phishing websites with promises of a classic internet attraction – pornography.

In an example, Unuchek said a victim may end up compromised after unwittingly landing on a phishing page when browsing the internet for adult material. He explained that the user would then be asked to download a malicious application said to be used for viewing the sexual content.

Upon installation and after consenting to sending a text message to obtain the adult content, the trojan decrypts a configuration file containing the premium phone numbers and sends out SMS messages – at about $2 a pop – depending on the user's location.

The malware authors are likely from Russia because early versions were only operable in the country, Unuchek wrote in his post, also stating that the command-and-control servers are registered with and hosted by Russian providers. Additionally, the majority of infections have been observed in Russia, as well as Canada.

Common sense will help defend against this type of attack.

“Do not install apps from unofficial stores,” Unuchek said. “If a porn website tells you to install an application, you better not do this. And, of course, users should use mobile anti-virus.”

Share this article:
You must be a registered member of SC Magazine to post a comment.

Sign up to our newsletters

TOP COMMENTS

More in News

Florida Supreme Court rules warrants a must for real-time cell location tracking

Florida Supreme Court rules warrants a must for ...

The Florida Supreme Court put the kibosh on warrantless real-time tracking using location data obtained from cell phone providers.

Modular malware for OS X includes backdoor, keylogger components

Modular malware for OS X includes backdoor, keylogger ...

The modular malware was named "Ventir," by researchers at Kaspersky.

Fake Dropbox login page nabs credentials, is hosted on Dropbox

Fake Dropbox login page nabs credentials, is hosted ...

Symantec researchers received a phishing email linking recipients to a fake Dropbox login page that is hosted on Dropbox's user content domain and served over SSL.