Malware

Russian SMS Trojan for Android hits dozens of countries

Life
Source: IDGNS

24 April 2014

An Android Trojan app that sends SMS messages to premium-rate numbers has expanded globally over the past year, racking up bills for users in over 60 countries, malware researchers from Kaspersky Lab said.

The malware program, which Kaspersky products detect as Trojan-SMS.AndroidOS.FakeInst.ef, dates back to February 2013 and was originally designed to operate in Russia.

The trojan disguises itself as an application for watching porn videos, but once installed on a device it downloads an encrypted configuration file and starts sending SMS messages to predefined premium-rate numbers, depending on the user’s mobile country code.

For example, when the malware encounters mobile country codes – special codes used by carriers to identify mobile networks in different countries – Kaspersky researchers said in a blog post Wednesday.

The malware can also intercept incoming messages and can receive commands from command-and-control servers to send specific text messages to particular phone numbers.

The Kaspersky researchers have identified 14 different versions of Trojan-SMS.AndroidOS.FakeInst.ef and determined that the malware has spread to 66 countries.

Cybercriminals have used premium-rate SMS trojans for years to steal money from Android users in China, Russia and other countries where the use of non-official app stores is common. However, Trojan-SMS.AndroidOS.FakeInst.ef and another widespread Trojan called Trojan-SMS.AndroidOS.Stealer.a, which has support for 14 countries, suggest a global escalation for this type of threat.

The Kaspersky researchers did not clarify how the rogue apps that carry this trojan are being distributed. The apps are not likely downloaded from Google Play, because Google has gotten much better at policing its app store in recent years. So Android users are probably affected after specifically configuring their phones to allow the installation of apps from “unknown sources”.

Many users might have that setting enabled because it’s needed to install some legitimate applications that can’t be distributed through Google Play for policy reasons – for example some online poker clients. In addition, attackers could also use social engineering techniques to trick users into enabling support for unknown app sources.

IDG News Service

Read More:


Back to Top ↑

TechCentral.ie