It’s hard to keep up with all the security threats to mobile devices these days, which is why a little advance notice is always nice. A novel piece of Android-unfriendly malware was recently discovered in Russia, but is probably headed our way, according to security experts.
An SCMagazine.com article describes a newly discovered piece of mobile malware that may be the first Android worm in the wild, according to security researchers at ESET.
The malware was identified by ESET as Android/Samsapo.A. It infects Android devices and carries out Trojan-like attacks. Like any computer worm the malware seeks to spread and infect new victims using what ESET malware researcher Robert Lipovsky called a “more-or-less automated mechanism” in his ESET.com blog post on the new threat.
When it has infected a device, Samsapo sends SMS messages to all of the user’s contacts. The message prompts them to click on a link by asking them “is this your photo?” (in Russian only, so far). The link takes users to a site that asks them to install a downloaded malicious Android application package file file.
This technique “wouldn’t raise an eyebrow on Windows, but is rather novel on Android,” Lipovsky says in his blog post.
“It is not known how the first domino piece was set into motion, but the SMS spreading is the most interesting feature of this malware,” Lipovsky told SCMagazine.com. “It’s rather uncommon, since Android Trojans usually spread by masquerading as [sometimes cracked] legitimate apps.”
ESET provides a list of the worm’s other features and capabilities:
- it appears to be a system utility (the package name is “com.android.tools.system v1.0″);
- it has no GUI and no icon in the application drawer;
- it can download additional malicious files from specified URLs;
- it acts as spyware, uploading personal information from the device, such as phone numbers and text messages, to a remote server;
- it also acts as an SMS-Trojan, registering the device’s phone number to a premium-rate service;
- it can block phone calls;
- it can modify alarm settings.
The malware is only circulating in Russia so far, but Stephen Cobb, senior security researcher at ESET North America, told IT World Canada that that is likely to change.
“We think it is highly probable that this malware will spread to other countries,” Cobb said. “In the past we saw this happen with Android SMS Trojans that covertly send messages to premium-rate numbers: they started in Russia and Ukraine but soon we found versions that worked in more than 60 countries.”
ESET recommends that users restrict the installation of applications from unknown sources, be aware of common social engineering tricks and run updated anti-malware on Android devices.