Android malware for SMS spam botnet

Everywhere is possible to read rivers of words on the impressive diffusion of social networks and mobile devices, both technologies used in the last months as privileged channels of attacks due their large audience.

We all know how much dangerous are botnets and how many malicious purposes could be achieved with their diffusion, today I desire to discuss about the first-known Android botnet composed by mobiles devices on all the major U.S. mobile networks.

Its principal use is the SMS spamming according security researches of the two US security firms, Cloudmark and Lookout Mobile Security that discovered the malicious architecture in December.

The method of infection is a consolidated process based on malware, the SpamSoldier trojan, and every victim is compromised when installs a malware masquerade as a game application.

The trojan mobile exploits infected devices to spread spam and invitations for other users to download the infected apps. The malware send out SMSs inviting victims to download a free version of a popular Android game like “The Need for Speed Most Wanted “or “Angry Birds Star Wars” .

During installation procedure the malware explicit requests to the user to grant permission to the app to perform many operations such as surfing the web and sending SMS messages, but unfortunately users never make attention to the messages proposed by apps to acquire further privileges.

Once infected the victims communicate with command-and-control server, according a classic architecture, receiving instruction on the final destination for SMS spam. Typically the bot receives a list of 50 or more phone to send SMS, once sent the messages it get a new list from C&C server within 65 seconds.

The Cloudmark researches discovered that the apps were downloaded from sites hosted on a server in Hong Kong that offers free copies of popular games. These URLs have been used for malware distribution:

• newestgames.mobi
• gamerpalace.mobi
• trendingoffers.com
• holyoffers.com
• gamehaven.mobi
• game-haven.mobi
• freshoffers.mobi

Meanwhile these URLs have been used by the C&C server

• l0rdzs0ldierz.com
• imperialistic.mobi

Very smart the mechanism to preserve the malware from being discovered,  to neutralize alerting messages from mobile service providers it blocks any incoming and outgoing SMS from unknown numbers.

Which is the monetization schema behind the botnet?

According researchers at Cloudmark the botmasters could works in various way such as a classic phishing schema or making money sending out message containing links to rogue e-commerce sites that request personal information and banking credentials for payments.

Andrew Conway, a researcher at Cloudmark declared at SCmagazine:

“This botnet has “changed the economics” of spamming campaigns.” “The typical SMS spamming technique is that a spammer will go to the grocery store, buy some prepaid SIM [subscriber identity module] cards and [use] them to send out spam messages,” Conway said. “We think the spammers are getting less and less value for money out of that approach as the industry catches on to that.”

“the spammer no longer has to pay for the messages that are sent if he can use a botnet to cover his costs. Now that we know it can be done, we can expect to see more complex attacks that are harder to take down”

In the SpamSoldier campaign, the fraudsters make their victims shoulder the cost of spamming, Conway explained. While he described the botnet as “primitive” compared to those that fester among infected endpoints in the traditional PC environment, the tactic may demonstrate a future model to be taken up by attackers.

So far, Cloudmark investigation has revealed more than 800 phone numbers, mainly  belonging to the US Verizon, AT&T, Sprint and T-Mobile,  sending out the spam messages. A raw estimation suggested a that the total number of compromised mobile devices is around 1,000.

The dimension of the botnet is still considerable limited but wide diffusion of the mobile could  have a greater impact in the future, underestimate it is a great error.

In reality Android is the mobile OS that most attracts cybercrime due its diffusion, early in 2012 experts from Kaspersky Labs have discovered the first IRC bot for Android, it used IRC channel to communicate with C&C servers. The IRC bots were used for various malicious purposes, also in the case the victims were convinced to install the malware masquerading it as a game application, the famous game Madden NFL 12.

In July was detected a new spam botnet on Android devices, but its existence was promptly denied by Google that explained the spammers were using infected computers and a fake mobile signature to abuse a Yahoo Mail app for Android devices.

Mobile botnets represent for security experts a nightmare, they are very effective and difficult to trace, the leak of awareness of mobile users, incorrect behavior such as mobile “jailbreaking” and the download from unsafe third party app store, and large diffusion of these platform make them ideal for hackers and cyber criminals.

Mobile platform need an increasing level of security to protect unsuspecting users.

Pierluigi Paganini