SMS spying Android Trojan triggered by keywords

Another week, another trojanized Android app. And, according to Trend Micro researchers, this one has a functionality that differentiates it from similar previous ones: it intercepts text messages base on keywords defined in the configuration file.

The malware is bundled with a legitimate Android game by the name of “Coin Pirates” and has (predictably) been offered for download on a third-party Chinese app market.

Compared to the permissions asked from the legitimate app, the trojanized one is obviously up to no good:

Once the permissions are given, the app installs three receivers. Two of them are tasked with starting the service that lets the app contact a remote server, and the third one evaluates all received text messages.

And when a text message contains one of the keywords defined by the malware author, it is either deleted or uploaded to the server, where the model, the SDK version and the IMEI and IMSI numbers of the affected device have already been sent by the app.

“Older SMS-targeting Android malware use the originating number to filter text messages. This malware checks for keywords inside the body of the messages, resulting in a more targeted approach,” explain the researchers, and add that it is capable also of sending out text messages to predefined numbers and add bookmarks to the device’s browser.