Android smartphone users in Russia have been hit by a Trojan that, once installed, starts spouting off SMS text messages to premium numbers, Kaspersky Labs revealed on Tuesday.
The attack is sent through a fake codec — a media player application — that users are asked to download and install.
Once it’s been installed, the Trojan begins sending SMS messages to premium rate numbers, racking up charges on the user’s account.
The attack may be a proof of concept test by the malware authors because it appears to be limited to Russia.
About the Android Trojan
Kaspersky Labs has named the Trojan the “Trojan-SMS AndroidOS Fake Player.” It’s being distributed from a malicious website, Dennis Maslennikov, Kaspersky’s mobile research group manager, told LinuxInsider.
“You have to click the app manually to download and install it; there’s no drive-by download,” Maslennikov said.
When a victim tries to install the app, Android will ask him or her to grant permission for the app to send SMS messages, read or delete data and collect data about the phone and the phone ID, Maslennikov warned. So far, Kaspersky hasn’t been able to find out who’s behind the malware.
“Our application permissions model protects against this type of threat,” Google spokesperson Jay Nancarrow told LinuxInsider.
Users should become suspicious when the Android operating system asks them for permission to send SMS messages or use services that cost money, such as making premium phone calls, Nancarrow pointed out.
He also warned that users should be careful when installing apps that are not on Google’s official application store, the Android Market. The so-called Fake Player is not sold through the Android Market.
“Users must explicitly change a default setting on their smartphones in order to permit the installation of non-Android Market applications,” Nancarrow said.
‘Yes You Can’ Doesn’t Cut It
However, this Trojan exploit underscores the flaws in this permissions model because it assumes the user has in-depth knowledge of the apps he or she is about to install, according to Kevin Morgan, chief technology officer at Arxan Technologies.
“The security solution in Android is wrapped around capabilities that are explicitly granted or not to applications on installation so that the user supposedly has control,” Morgan told LinuxInsider.
“The problem with this model is that users don’t really know what capabilities an application should or shouldn’t have, and generally they just say yes to all the capability requests,” he explained.
Currently, spam and SMS scams constitute 75 percent of the malware attacks in the mobile market, Dror Shalev, chief technology officer at DroidSecurity, pointed out.
The Other Android Bug
Meanwhile, British security firm MWR InfoSecurity announced it found a flaw in the WebKit browser used in Android versions 1.6 to 2.1, the Guardian reported. This lets attackers remotely access victims’ Internet history, including the sites visited, cookies, usernames and passwords.
The attackers do this by injecting code from a poisoned website or through an unsecured WiFi network.
MWR InfoSecurity reportedly informed Google of the vulnerability in May, and the flaw has been fixed in Android 2.2.
“The issue noted by MWR InfoSecurity occurred in WebKit and is not Android-specific,” Google’s Nancarrow pointed out. “It has been fixed in the latest version of our Android software. We are not aware of any users having been affected by this bug to date.”
Openness May Mean Having to Say Sorry
The Trojan-SMS AndroidOS Fake Player can be deleted manually through the Android uninstaller, Kaspersky’s Maslennikov said.
Android smartphone owners can protect themselves by only visiting websites and using WiFi networks they can trust, Google’s Nancarrow remarked.
However, could more be done to safeguard Android users? The problem may be that the very openness that has made Android so popular.
“Users can install apps from anywhere, not only from the Android marketplace, and that differs from the [App Store] distribution model, which is a good example of strong application review,” Maslennikov said.
“The two pieces of malware hitting the Android OS now are examples of why application providers for Android need to protect their apps from code modification through, for example, the insertion of Trojans,” Arxan’s Morgan said. “More fundamentally, the issue is, how can you have an application-extendable device and not run the risk that users will load applications that contain malware?”
Just Testing, Comrade
The Trojan-SMS AndroidOS Fake Player sends SMS messages to two premium numbers, 3353 and 3354, which only work in Russia, DroidSecurity’s Shalev told LinuxInsider.
“That makes it a local attack, which can be considered a proof of concept attack,” Shalev added. “This technique is widely used by rogue software developers in Europe.”
Virus writers in Russia focus on creating Trojan-SMS programs, wrote Alexander Gostev, head of Kaspersky’s global research and analysis team. One of their most popular scams is to have their malware autosend messages to short numbers. The cost of the texts is deducted from the accounts of the victims.
Most SMS Trojans are presented as applications that can be used to send free SMS messages, get free Internet access or access erotic or pornographic content, Gostev wrote.
SMS fraud is becoming increasingly popular with cybercriminals, and the threat is international, Gostev wrote.
Mobile malware may hit even more victims over time as mobile devices and apps become more popular.