Variants now spawning off new Android SMS malware

Share this…

AndroidOS.SmsThief does what it says on the tin – acts as a thief through SMS, on Android.

Mobile network security and threat detection company AdaptiveMobile says it has been tracking the emergence of a new strain of Android malware. The appropriately named AndroidOS.SmsThief targets SMS message users on Android and has been evolving and developing variants since it was first identified as a threat in late August.

AdaptiveMobile says that multiple deviations from the base code have been traced across the Chinese Android market. Attacks in other world regions have yet to be logged and reported. This mobile phone virus does not infect computer users at this stage.

How a threat vector starts

AdaptiveMobile explains that the threat vector begins from an infected phone, where an SMS is sent to an uninfected device, informing the user that their friend or contact has attempted to share a photograph, document or file. When the user then clicks on the link in the text message, they are directed to download an app from a malicious but seemingly legitimate source.

Variants now spawning off new Android SMS malware
Variants now spawning off new Android SMS malware

The problem here may be compounded by the fact that China does not have an official app store like Google Play. This lack of formalisation and application validation is widely argued to increase the threat from counterfeit apps and download platforms.

According to AdaptiveMobile, once a user has installed the malware to their device and given permission to access contacts and messages, the program allows the primary attacker to monitor any and all messages sent from the infected device. This potentially provides access to sensitive information such as personal and financial data whilst enabling the malware to spread to a wider network of contacts.

How China alerts its people

The Chinese National Computer Virus Emergency Response Center (CVRC) posted this alert (press ‘translate’ to convert the webpage at the link shown) to warn the population. It says that anyone with an infected cell phone should immediately upgrade their phone’s anti-virus software.

Despite this nationwide decree, AdaptiveMobile insists that this highly sophisticated malware is “constantly evolving” and the message can manifest itself as a number of different applications. A total of eight different variants have been tracked at the time of writing.

How a threat evolves spoke directly to Brian Kelly, chief security officer at managed cloud specialist Rackspace, to discuss how a still-emerging threat like this can evolve and spawn variants – and question what we should be doing as a globally connected security community to counter nascent malware that is evolving before our eyes.

“Mobile security is still a fairly young capability in terms of the industry’s ability to detect and defend against adversaries targeting this medium. As in social engineering attacks, the ability to better protect against these types of attacks rests with the individual user,” said Rackspace’s Kelly, who himself previously led the Giuliani Advanced Security Center in New York.

“It is crucial that the security industry continues awareness campaigns which both highlight the threats at the same time as providing details on actions users can take to prevent and then triage if an issue occurs. Users should follow best practices such as downloading only from reputable sources and employing endpoint protection when available.”

How threats evolve and spawn variants

SC also followed up this story with the original report author Cathal McDaid, head of the Threat Intelligence Unit at AdaptiveMobile. We asked McDaid how the onward spawning of variants occurs.

“Threats like this evolve as a response to a) what works and b) avoid defences, so in this particular case the malware has been evolving quite rapidly, with several variants encountered already. There are several reasons for this fast evolution of this particular malware, to increase the rate at which the malware spreads successfully, but also there is evidence that they are seeking to expand the abilities of the malware over time,” he said.

McDaid underlines that there have been “reports of sizeable losses” in China from interception of mobile authentication codes sent via SMS that have allowed hackers to take money from bank accounts. He concludes that, at a broader level, it is rare to see such a sophisticated command and control set-up for a malware like this, so this shows an increasing complexity in this type.

How we should defend ourselves

SC was keen to provide some kind of closure on this story (even if temporary) and so also spoke to Filip Chytry, security researcher at antivirus and anti-spyware protection company Avast.

Chytry asserts that there are “various automated tools” that can be used to generate different packages using much of the original app’s source code. “This means that cyber-criminals can generate an app’s main source code and then change or add the app’s UI and internal things, such as URLs. This is how still evolving threats can spawn new variants so quickly. It is therefore vital for antivirus companies to have behavioural analysis in place, as it is very difficult to catch these types of threats, especially since each package is unique,” he said.

The Avast man concluded: “Most security vendors are already exchanging information about new threats to combat new threats and variants. What might also help would be to have a universal system in place where apps are required to have trusted digital signatures. This would allow security vendor’s to quickly recognise trusted apps.”