Researchers discovered DroidJack attacks that delivered the remote access Trojan (RAT) through an “over the top” (OTT) carrier. Discovered by mobile security firm AdaptiveMobile, the attack sent SMS messages through the OTT cloud communications carrier Twilio.
“While unsophisticated, this malware is interesting as it is delivered using SMS and is purporting to be a MMS message,” AdaptiveMobile marketing communications manager Jessie Power wrote in a blog post. The messages contained links to an APK file that prompted potential victims to click on a link to view their message. “You have received a new MMS,” the SMS message read. “Please tap the link to view it.”
In an email to SCMagazine.com, AdaptiveMobile Chief Information Officer (CIO) Cathal Mc Daid wrote that AdaptiveMobile “worked with our North American carrier customers to successfully block these SMSs containing the link to Droidjack being sent.”
Twilio uses APIs to programmatically send and receive phone calls and text messages. Twilio informed AdaptiveMobile that the account that sent the malicious SMS messages has been closed, Mc Daid said.
When contacted by SCMagazine.com, a Twilio representative declined to confirm this, noting that the company “cannot speak to the status of any specific account.” The risk of installing a Trojan by downloading a malicious image file “is not specific to Twilio,” the representative emphasized in the email. “As with links sent through email, we remind consumers not to click on or download anything from unfamiliar messages or untrusted sources.
Twilio's acceptable use policy prohibits transmitting “viruses, trojan horses, worms or any other malicious, harmful, or deleterious programs.” Twilio takes “swift action to address the issue” if the company finds that the policy has been violated, the representative wrote.
The latest attack may signal “a move by malware authors to follow suit” the limited instances of cybercriminals sending malicious spam through OTT carriers, Power wrote on the blog post.
The increase in malware spread via OTT is “concerning, but not surprising,” said a payments firm security professional. The infection vector used in command and control attacks is an “important part of cybersecurity threat analysis,” wrote Viewpost CSO Christopher Pierson to SCMagazine.com. “In an era in which the phone is not only a mobile computing device, but also increasingly the ‘token' in dual factor authentication for secured transactions, this is a concerning change as cybercriminals seek to gain a beachhead on information transacted through the phone.”
Malware is typically “distributed by infected handsets – not via a SMS from OTT carrier accounts,” AdaptiveMobile's Power wrote. “Given the industry evolution, this change in attack method is not surprising.”
