The Selfmite Android SMS worm is back, and this new version is both more dangerous and more widespread that the initial one.
AdaptiveMobile researchers, who discovered both versions, call it “Selfmite on Steroids,” and have tracked it in Canada, China, Costa Rica, Ghana, India, Iraq, Jamaica, Mexico, Morocco, Puerto Rico, Russia, Sudan, Syria, USA, Venezuela, and Vietnam.
“Selfmite.b infects many more users, uses several monetisation techniques and is generally more dangerous and difficult to stop,” they noted.
As before, the infection circle starts with users receiving SMS messages touting the greatness of an app. “Hi buddy, try this, its amazing u know,” and “Hey, try it, its very fine,” they say, and include a shortened link.
Users who follow it, and download and install the offered APK file – a Trojanized Google Plus app into which the worm’s code is injected – get infected. The worm then contacts a remote server and downloads a configuration file that contains data that will be used by the worm to spread the infection.
Unlike the previous version of the malware, which sent out messages to only 20 of the victim’s contacts, this one sends it to all, and many times over.
“AdaptiveMobile has tracked more than 150k messages sent over the past 10 days from over 100 devices found in 16 countries. This is 100 times more traffic than that generated by Selfmite.a,” the researchers noted.
“This means that potential victims will continue to receive malicious SMS message from an infected phone until either the operator detects and blocks these messages or an owner of an infected phone removes the malware,” pointed out researcher Denis Maslennikov.
“By using multiple ‘touch points’ to engage users after installation, Selfmite.b increases its means of monetization,” the researchers explained.
“Users are either directed to an application in Google Play after clicking on the installed worm icon [the Trojanized Google Plus app], or they click on icons that Selfmite.b has placed on their desktops and are therefore redirected to unsolicited subscription websites. The worm also varies content according to IP addresses, meaning users in different countries will be redirected to different websites.”
It’s interesting to note that while iOS users are not in danger of getting infected, if they click on the link in the SMS, they are redirected to a specific fitness app in Apple’s App Store and urged to try it out.
So far, the spread of the worm has been contained, as Go Daddy, the owner of the URL shortening service used by the malware authors, has deactivated the malicious links. Still, the links are easily changed and pushed out to the worm via a change in the configuration file it downloads.