Security Architecture, Endpoint/Device Security, Endpoint/Device Security, Security Strategy, Plan, Budget, Incident Response, TDR, Threat Management, Malware, Endpoint/Device Security, Endpoint/Device Security, Endpoint/Device Security

Android trojan sends premium SMS messages, targets U.S. users for first time


The security experts with Kaspersky Lab have identified what they believe to be the first active SMS trojan ringing up premium charges for Android users in the United States.

The malware is named ‘Trojan-SMS.AndroidOS.FakeInst.ef' – or FakeInst – and is capable of sending premium-rate SMS messages, as well as enabling an attacker to steal, delete and respond to SMS messages, Roman Unuchek, senior malware analyst with Kaspersky Lab, told on Wednesday.

That it impacts U.S. users is a first for active SMS trojans, according to a Wednesday post by Unuchek, which adds that Canada, Mexico, France, Spain, Sweden, Greece, Czech Republic, Switzerland, Poland, and Italy are just some of the 66 locations around the world that round out the support list.

“We haven't seen this sort of malware before in the U.S.,” Unuchek said. “Apparently, the cybercriminals have played enough in “sandbox,” acquiring experience and collecting resources. Now they want more [and] they are ready for expansion.”

In order to spread the infection, attackers are luring users to phishing websites with promises of a classic internet attraction – pornography.

In an example, Unuchek said a victim may end up compromised after unwittingly landing on a phishing page when browsing the internet for adult material. He explained that the user would then be asked to download a malicious application said to be used for viewing the sexual content.

Upon installation and after consenting to sending a text message to obtain the adult content, the trojan decrypts a configuration file containing the premium phone numbers and sends out SMS messages – at about $2 a pop – depending on the user's location.

The malware authors are likely from Russia because early versions were only operable in the country, Unuchek wrote in his post, also stating that the command-and-control servers are registered with and hosted by Russian providers. Additionally, the majority of infections have been observed in Russia, as well as Canada.

Common sense will help defend against this type of attack.

“Do not install apps from unofficial stores,” Unuchek said. “If a porn website tells you to install an application, you better not do this. And, of course, users should use mobile anti-virus.”

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.