Cutwail Botnet Targets Android Users Via Spam

The massive Cutwail botnet has been pushing out spam containing malicious links in an attempt to spread Android malware, marking a significant milestone in the evolution of the mobile threat, security researchers have warned.

Dell SecureWorks discovered the new ‘Stels Trojan’, which can steal users’ contacts, text messages, install additional malware and make calls. Its delivery method is particularly rare for an Android threat – traditionally attackers have used official and unofficial app stores to push malware, disguised as legitimate apps.

Cutwail + Android = Carnage

Cutwail spam often contains links to Trojans aimed at Windows PCs. It sends messages designed to trick users into clicking on links to sites that launch the prevalent Blackhole exploit kit. This tool looks for vulnerabilities on the user’s system to exploit, before uploading malware onto the victim’s machine.

In this particular campaign, using a PHP script, the attackers will detect whether the user is running Android. If so, the infected site displays a fake Adobe Flash Player update, which, if clicked on, will launch the Stells executable, prompting the user to download the malware.

The user has to enable the “Unknown Sources (Allow installation of non-Market applications)” option in their phone’s security settings before the malware can infect the device.

Once on the user’s phone, it will load up a Flash icon in the apps menu, with the name APPNAME. If launched, the Stels trojan displays a fake error message reading: “Your Android version does not support this update! Setup is canceled.” It then deletes the Flash icon from the apps menu.

All the while, the Android malware is siphoning off user data, monitoring SMS messages to potentially pick up special bank authentication codes known as mTANs, and allowing the attackers to play around on the phone by uninstalling apps and making calls. All this is done at the behest of those running the Stels command and control infrastructure.

As of 12 March, VirusTotal found that the strain of Stels discovered by SecureWorks was ignored by all 44 anti-virus products on the site.

“The CTU research team has discovered similar SMS stealers that share a common codebase with the Stels trojan, which likely indicates that Stels originates from the same malware author or Android crimeware kit,” SecureWorks wrote.

Security adviser at F-Secure, Sean Sullivan, told TechWeekEurope his team had been looking into the Android malware too, noting how the shift away from app stores should help attackers reap more rewards from their illicit campaigns.

“My mom is not at risk from app stores (she doesn’t install a lot of extra software). But she does read email with her Android phone,” he said.

“This is a significant evolution in Android malware distribution. There’s a silver lining in the fact that Gmail probably has excellent defensives against Cutwail themed spam.

“But I can tell you, my Yahoo account has failed to block Amazon themed Cutwail spam in the past. So if Android users are checking multiple (and legacy) email accounts – I’d be wary of links,” warned the expert.

Android malware, which has been known to sell for as much as $15,000 on the underground, has been growing at a startling pace over the past two years. Just this week it was seen used against Tibetan activists, with fingers pointed at the Chinese government.

Are you a security expert? Try our quiz!