Android 'wide open' as SMS attack hits 100,000 users

SMS phishing malware such as the recent Heart App attack - which sent out 20 million messages and infected 100,000 Android users in China - could spread epidemically in future and cannot be stopped even by the newer versions of 'wide open' Android, researchers have warned.

Android 'wide open' as SMS attack hits 100,000 users
Android 'wide open' as SMS attack hits 100,000 users

Security firm FireEye said in a 12 August blog post by Jinjian Zhai, Tao Wei and Jimmy Su that Heart (XXShenqi in Chinese) can easily be resurrected, even though police in Shenzhen province arrested the 19-year-old alleged perpetrator, a student at Central South University, earlier this month.

The blog says: “The growth rate of this SMS phishing malware reveals the fact that such apps can be developed easily and spread epidemically in the future.

“Although the Android OS has received certain fixes to its wide-open permissions for reading and sending SMS in KitKat, malware can still send out SMS in those versions, meaning the newer versions of Android can't prevent the prevalence of such malware.”

During the Heart campaign, the malware masqueraded as a trustworthy app which, when accepted, collected the victim's personal data and spread itself by sending an SMS containing a download link to the victim's first 99 contacts.

It also tricked people into installing a secondary malware component (com.android.Trogoogle), which Intercepted and sent SMS messages to the hacker's email address. The malware cost each victim an average of 30 Chinese Yen or £3.

FireEye said the attack succeeded even though KitKat - version 4.4 of Android - tightened security by enabling users to choose their default SMS app.

“In Android 4.4, non-default SMS apps can still send SMS if it has the SEND_SMS permission,” the blog explained. “The XXShenqi SMS phishing malware can still operate in Android 4.4 because it has the SEND_SMS permission.”

The blog added: “Even when the hacker was finally identified and detained, the only way that the authorities could stop the exponential expansion of infected users was by removing the app from its web hosting service. Yet the malware can easily be resurrected when repackaged and hosted in numerous cloud storage services.

“As few security mechanisms and detection capabilities exist for mobile malware, it's easy to see why 20 million SMS were sent and 100,000 users were infected in only a few days.”

FireEye further warned: “Another reason for the spread is the social engineering aspect of smartphones, where individuals tend to trust the links sent by someone on their contact lists.”

Android expert Rob Miller, a security consultant with UK-based MWR InfoSecurity, agreed the attack exploited high levels of user trust in Android.

He told SCMagazineUK.com in an email: “This is another example that demonstrates how Android's greatest strength is also its greatest weakness. Android gives control of the phone to the user, letting them install whatever apps they like from whatever source and having them decide on the level of trust and privilege the app should have.

“In this case, the app is far from sophisticated, but its effectiveness is based on the inherent trust users have of their contacts, and of inherent Android security.”

Tom Moreton, a consultant at Context Information Security , also pointed to lack of user caution as a prime cause.

He told SC: “The spread of the app certainly highlights user awareness issues when it comes to Android applications and permissions. When a user tries to install an application, Android shows which permissions the application has requested and these must be accepted before the application can be installed.

“The spread of the virus through SMS messages likely contributed to its success, with users trusting that the application should be allowed to send SMS messages because it appeared to have been recommended by a friend.”

Moreton said: “This malware should serve as a reminder that, like any other device, mobile phones are targets for attackers and application permissions should be carefully checked, no matter the source.”

Miller had similar advice. “It is important that, if a user is going to start installing apps from sources other than Google Play, they take the time to inspect the permissions that the app requires and whether they trust the source.

“Ultimately for many users, the desire to get the latest new free game means they are rushing these checks. When in doubt, the old adage remains: ‘If it's too good to be true, it is'.”