Two newly discovered Android Trojans steal from users by sending messages to prime-rate numbers
Security researchers have come across a new Android Trojan that sends Short Message Service (SMS) communications to prime-rate numbers. This comes shortly after reports emerged that the Zeus gang has come up with an Android version of their banking malware.
Known as HippoSMS, the latest Trojan is sophisticated enough to automatically send SMS communications to expensive phone numbers and to prevent the carriers from notifying users of the charges incurred, researchers at North Carolina State University discovered on 10 July. The researchers came across HippoSMS in alternative Android markets in China. There have been no reports as of yet of this Trojan appearing in Google’s official Android Market.
HippoSMS is embedded inside an application that looks legitimate, the researchers found, and activates as soon as the application is installed on the Android device, researchers found. A number of malware-tainted Android applications recently have been distributed this way, with legitimate applications being recompiled with malicious code, such as DroidDream in March and DroidDream Light in May.
“Our investigation shows that HippoSMS directly piggybacks the host app so that when the app is launched, it will immediately activate one service to send SMS messages to a hard-coded premium-rated number,” wrote Xuxian Jiang, an assistant professor in the computer science department at NC State.
The malware then monitors incoming SMS communications and deletes all messages that come from mobile-service providers. Providers typically send users notification messages about the user’s account, such as the current balance. By deleting the messages, the Trojan ensures the user doesn’t find out about the costly text messages until the bill arrives.
As threats go, HippSMS is fairly limited as it affects only users in China and the malware is hard-coded to send messages to a specific number. This kind of mobile malware that sends stealthy text messages to expensive prime-rate numbers is a serious problem in Russia, China and the Ukraine, where it’s easy to rent out these numbers, Denis Maslennikov, a senior malware analyst at Kaspersky Lab, told eWEEK.
As new SMS malware makes the rounds, Fortinet researchers claimed that recently identified banking malware was linked to the gang behind the Zeus Trojan. A malicious application masquerading as an Android version of the Trusteer Rapport banking-security tool, this Trojan was distributed by a web server that pushed out Zbot, the mobile Zeus variant, for other platforms as well.
The installed application uses a stolen Rapport icon and intercepts all received SMS communications on the device. The messages are also encoded and forwarded onto a different server. Despite the capabilities and the originating web server, the Trojan’s lack of sophistication makes it hard to determine whether it was part of the Zeus kit, Vanja Svajcer, a principal virus researcher in SophosLabs, wrote on the Sophos NakedSecurity blog. For example, the command-and-control server’s address was hard-coded in the source code, making the Trojan “quite inflexible”, Svajcer found.
“We cannot be 100% sure that this is indeed a part of the Zeus kit,” Svajcer said.
The fake Trusteer Rapport application “doesn’t fit the Zeus MO [modus operandi]”, Roel Schouwenberg, senior antivirus researcher at Kaspersky Lab, told eWEEK. The Zeus kit is designed to be efficient, and malware that intercepts all text messages doesn’t fit the profile because the cyber-criminal will have to do a lot of digging to find the relevant banking messages, Schouwenberg said. If this had been from the “Zeus guys” they would have at least taken “some rough edges off”, he said.
There are currently Zeus variants for Symbian, Windows Mobile and Blackberry phones in the wild. One of the characteristics for the mobile Trojan is its ability to intercept SMS communications from financial institutions to steal online-banking credentials.