Security Architecture, Endpoint/Device Security, Endpoint/Device Security, Security Strategy, Plan, Budget, Incident Response, TDR, Threat Management, Threat Management, Malware, Endpoint/Device Security, Endpoint/Device Security, Endpoint/Device Security

Dial M for malware: ‘Pawost’ trojan hijacks Android phones to make unauthorized calls

A recently discovered mobile malware program is giving Android devices a mind of their own, causing them to use the messaging service Google Talk to secretly and repeatedly place outgoing calls to mysterious phone numbers approximately every two minutes.

According to a blog post from Malwarebytes Labs, the trojan, nicknamed Pawost, was observed making a series of calls to numbers featuring a 259 area code. In an interview with, Malwarebytes' senior malware intelligence analyst and blog post author Nathan Collier acknowledged that the prevailing theory is that these are premium phone numbers set up by scammers who earn money on every call they receive, legitimate or not. “Especially on Android, [motives] always lean toward ‘What is going to make me money?'” said Collier.

Of course, that also means that infected victims can rack up massive charges very quickly.

First observed on May 24, the malware is actually hidden within a simple stopwatch Android app. After the app is downloaded, a blank Google Talk icon pops up in the mobile device's notifications, and the malicious calls begin soon thereafter. To conceal its malicious intent from victims, Pawost places affected Android devices in a partial wakelock that turns off the screen and keyboard back light even while the CPU operates, allowing the automated calls to continue unabated until the app is forced-stopped or uninstalled.

Collier, who performed the malware analysis, determined that the 259 area code remains unassigned both in China, where the malware reportedly originated, and in the United States.

After using an Android emulator to observe Pawost's behavior, Collier dialed back several of the numbers that the malware attempted to call. Dialing the numbers with the U.S. country code +1 resulted in invalid numbers, but using the Chinese country code +86 worked, generating a series of busy signals. This supports the idea that these are Chinese phone numbers, targeting a Chinese user base.

Collier suspects the dubious stopwatch app is likely being accessed via untrustworthy third-party app stores, noting that “There are certain regions in China that don't allow you to use Google Play, so third-party sites are popular.”

Pawost also possesses the ability to send and block SMS messages, potentially for toll fraud purposes. Collier did not actively observe this behavior during research, but such capabilities could easily be leveraged by bad actors in future malware attacks. The malware also gathers information from mobile devices and communicates it back to a command-and-control server. Stolen data includes phone numbers, apps installed, and IMSI (International Mobile Subscriber Identity) and IMEI International Mobile Station Equipment Identity codes.

Victims who happen to use their phones while a secret call is  being placed will likely quickly realize something is wrong, said Collier, but by then the damage might be done. Plus, “You may be aware of it, but you may not know exactly how to stop it,” added Collier, unless you can deduce that the stopwatch app was the source of the infection and then successfully uninstall it.

Bradley Barth

As director of community content at CyberRisk Alliance, Bradley Barth develops content for SC Media online conferences and events, as well as video/multimedia projects. For nearly six years, he wrote and reported for SC Media as deputy editor and, before that, senior reporter. He was previously a program executive with the tech-focused PR firm Voxus. Past journalistic experience includes stints as business editor at Executive Technology, a staff writer at New York Sportscene and a freelance journalist covering travel and entertainment. In his spare time, Bradley also writes screenplays.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.