Android SMS Trojans evolve, go after bank and payment system accounts

“Once upon a time cyber crooks used SMS Trojans to earn themselves money by subscribing users to unwanted premium mobile services. Today, the situation has changed, and these Trojans can do much more damage.

Take for example an Android SMS bot spotted by Dr. Web researchers. It can text messages to premium services, but it is also capable of checking the device for online banking applications of a number of financial organizations, as well as the balances of the user’s mobile account and their account in one popular Russian payment system.

The malware is able to do that because it can send specially crafted SMS messages to those services, asking them for the needed information, and then it forwards the replies to the server controlled by the crooks. The victims are unaware that anything like this is happening, as the malware attempts to conceal those responses from the device’s owner by deactivating all sound and vibrating alerts, and by ultimately deleting those messages.

“If the user has money on any of the mentioned accounts, cybercriminals can steal it by issuing an appropriate command,” the researchers explained. “The victim finds out about the attack not right after the crime is committed but some time later, because the Trojan blocks all messages containing conformation codes and notifications on financial operations.”

Currently, the malware is aimed at Russian users, and it seems that the attackers are using information provided in advertisements placed online by the victims in order to trick them into installing the bot.

In a typical scenario, victims receive an SMS supposedly sent by a person who wants to purchase an item the victim tried to sell online. The message includes a link to a website where more details about the possible deal are apparently outlined.

Unfortunately for those who fall for it, clicking on the link triggers the download of the Trojan’s APK file (the link is harmless if the victim does not use an Android device).

Android.SmsBot.459.origin is disguised as a client application for an advertising website well known in Russia,” the researchers warn. “Even the icon is borrowed from the original programthis way, a potential victim should not have any doubts that they are dealing with the real advertising platform.”

Once installed and launched, the fake app will try to gain admin privileges so that it becomes difficult to remove. The victims will usually grant those rights, as the app effectively badgers them into doing that by constantly prompting them and effectively making the use of the device impossible until they do.

The researchers advise users to avoid opening links from dubious SMS messages and installing applications downloaded from unreliable sources in order to protect themselves from this type of attacks.”