AdaptiveMobile has discovered a previously unknown piece of mobile malware dubbed Selfmite. It spreads via SMS and fools users into installing a worm app which propagates by automatically sending a text message to contacts in the infected phone’s address book.
The worm then requests users to install another legitimate app via an advertising platform; the author of the worm is paid every time this legitimate app is successfully installed.
The worm was first discovered in the US where the worm seems concentrated, but activity has also been recorded from a dozen countries worldwide.
“SMS worms for Android smartphones have previously been rare, but this and the recent Samsapo worm in Russia may indicate that cybercriminals are now starting to broaden their attacks on mobile phones to use different techniques that users may not be aware of,” said Denis Maslennikov, Security Analyst, AdaptiveMobile.
The worm spreads by sending users the following SMS which contains a URL that redirects to the malware: “Dear [NAME], Look the Self-time, http://goo.gl/[REDACTED]’. If a user clicks on the goo.gl shortened link, they are invited to download and install an APK file which appears as an icon on their smartphone menu, after installation.
Once launched, Selfmite immediately reads the device’s address book for a name and phone pairing and sends the message to 20 different contacts using the name as a greeting. After sending the malicious SMS messages to the new potential victims, the user will be invited to download and install Mobogenie which is a legitimate app for managing and installing Android apps.
“There is a monetisation aspect to this worm. To redirect users to the Mobogenie app, the Selfmite worm uses an advertising platform, therefore we believe that an unknown registered user of the advertising platform abused a legal service and attempted to increase the number of Mobogenie app installations using malicious software,” said Maslennikov.
In addition to impacting users billing plan, by automatically sending spam messages, the worm puts the infected device in danger of being blocked by the mobile operator. AdaptiveMobile has contacted Google and the malicious URL has already been disabled.