Dial M for malware: 'Pawost' trojan hijacks Android phones to make unauthorized calls

A malicious stopwatch application containing "Pawost" malware causes Android phones to make repeated calls to numbers with a 259 area code.
A malicious stopwatch application containing "Pawost" malware causes Android phones to make repeated calls to numbers with a 259 area code.

A recently discovered mobile malware program is giving Android devices a mind of their own, causing them to use the messaging service Google Talk to secretly and repeatedly place outgoing calls to mysterious phone numbers approximately every two minutes.

According to a blog post from Malwarebytes Labs, the trojan, nicknamed Pawost, was observed making a series of calls to numbers featuring a 259 area code. In an interview with SCMagazine.com, Malwarebytes' senior malware intelligence analyst and blog post author Nathan Collier acknowledged that the prevailing theory is that these are premium phone numbers set up by scammers who earn money on every call they receive, legitimate or not. “Especially on Android, [motives] always lean toward ‘What is going to make me money?'” said Collier.

Of course, that also means that infected victims can rack up massive charges very quickly.

First observed on May 24, the malware is actually hidden within a simple stopwatch Android app. After the app is downloaded, a blank Google Talk icon pops up in the mobile device's notifications, and the malicious calls begin soon thereafter. To conceal its malicious intent from victims, Pawost places affected Android devices in a partial wakelock that turns off the screen and keyboard back light even while the CPU operates, allowing the automated calls to continue unabated until the app is forced-stopped or uninstalled.

Collier, who performed the malware analysis, determined that the 259 area code remains unassigned both in China, where the malware reportedly originated, and in the United States.

After using an Android emulator to observe Pawost's behavior, Collier dialed back several of the numbers that the malware attempted to call. Dialing the numbers with the U.S. country code +1 resulted in invalid numbers, but using the Chinese country code +86 worked, generating a series of busy signals. This supports the idea that these are Chinese phone numbers, targeting a Chinese user base.

Collier suspects the dubious stopwatch app is likely being accessed via untrustworthy third-party app stores, noting that “There are certain regions in China that don't allow you to use Google Play, so third-party sites are popular.”

Pawost also possesses the ability to send and block SMS messages, potentially for toll fraud purposes. Collier did not actively observe this behavior during research, but such capabilities could easily be leveraged by bad actors in future malware attacks. The malware also gathers information from mobile devices and communicates it back to a command-and-control server. Stolen data includes phone numbers, apps installed, and IMSI (International Mobile Subscriber Identity) and IMEI International Mobile Station Equipment Identity codes.

Victims who happen to use their phones while a secret call is  being placed will likely quickly realize something is wrong, said Collier, but by then the damage might be done. Plus, “You may be aware of it, but you may not know exactly how to stop it,” added Collier, unless you can deduce that the stopwatch app was the source of the infection and then successfully uninstall it.

You must be a registered member of SC Magazine to post a comment.

Sign up to our newsletters

TOP COMMENTS