Successful malware peddlers are always thinking up new ways of delivering malware to unsuspecting users.
In the past Android malware was mostly served on third-party online marketplaces, but according to Dell Secure Works’ researchers, the Stels Android Trojan is currently being distributed with the help of the Cutwail botnet.
The botnet has recently been spotted being used to deliver the peer-to-peer Gameover banking Trojan, but its masters have obviously realized that an increasing number of users is checking their email through their smartphones, and that they can also be targeted.
The researchers have detected a massive email spam campaign impersonating the US IRS, urging users to download a new form because of the mistakes they made in filling out the previous one:
But the link leads to a compromised site that detects which web browser and OS the victim uses, and if it’s the Android OS, it shows a fake warning urging users to update their Flash Player in order to view the page correctly (or at all).
Unfortunately, the offered “update” is actually the Stels malware in disguise. Once the user has downloaded, installed, and run it, a Flash icon appears in the apps menu with the name APPNAME:
The icon disappears altogether once the app is run for the first time and tells the user that “Your Android version does not support this update! Setup is canceled.”
But it still works in the background, stealing the contact list, reporting system and device information to a remote server, making phone calls and sending messages to premium rate numbers, and downloading and executing other malicious files. It is also capable of monitoring and recording SMS messages, uninstalling applications, and showing notifications.
If you believe that you might have fallen for the trick and have had your device infected, you should check the running process list (Settings > Manage Applications) for the malicious FLASHPLAYER.UPDATE process. If it’s there, select it and uninstall it.
The spam campaign that leads to this Trojan also serves PC users. If the victims are using IE, Firefox, or Opera, they are first redirected to a fake IRS website and then to a site hosting the Blackhole exploit kit that ultimately leads to an infection with the aforementioned Gameover Trojan.
Finally, if the victims aren’t running any of the aforementioned browsers, they are taken to a work from home affiliate scam site.
F-Secure’s Sean Sullivan points out that the Stels Trojan is not new, and that it has previously been distributed via a web portal called spaces.ru, disguised as free game apps and utilities.
What is interesting is that it targets Russian users – something that a lot of PC malware explicitly does not.
“Thus far, Russian authored Android malware has needed to target follow Russians due to the billing schemes related to SMS fraud,” he says, but predicts that given the change of the distribution channel we will soon be seeing Trojans that, once again, refuse to target devices with Russian as the display language.