Android botnet detected that uses victims' devices to send SMS spam

News by Danielle Walker

A botnet of Android users has been discovered that is being used to deliver SMS spam.

A botnet of Android users has been discovered that is being used to deliver SMS spam.

According to research by security firms Cloudmark and Lookout Mobile Security, this is the first known Android botnet and it consists of compromised devices sending out spam SMS messages.

According to research, the botnet grows when users install a malicious game application that contains the SpamSoldier Trojan. The infected devices then communicate with a command and control (C&C) server, receiving instructions to send SMS messages to more than 100 phone numbers. After those numbers are texted, infected phones get a new list of targets within about a minute. The malware also blocks incoming and outgoing texts from unknown numbers incase users or mobile service providers try to alert victims of their spamming.

Cloudmark researcher Andrew Conway said that the botnet's owners are likely to be making money through a variety of strategies, including sending out links to claim bogus gift cards, but which actually lead to rogue marketing sites that request personal information.

He told SC Magazine US: “This botnet has ‘changed the economics' of spamming campaigns. The typical SMS spamming technique is that a spammer will go to the grocery store, buy some prepaid SIM cards and use them to send out spam messages.

“We think the spammers are getting less and less value for money out of that approach as the industry catches on to that.”

With SpamSoldier, it is the victims who shoulder the cost of spamming, as Conway said that while the botnet was ‘primitive' compared to those that fester among infected endpoints in the traditional PC environment, the tactic may demonstrate a future model to be taken up by attackers.

Cloudmark researchers said that they had detected more than 800 phone numbers sending out the spam, and they believe the total number of infected devices is around 1,000.

A spokesperson for Google declined to comment on the research.

Research from Lookout found that once SpamSoldier was opened it begins working, but first it removes its icon from the launcher to cover its tracks. After receiving instruction on the initial 100 numbers to contact from the C&C server and getting its new list of 100 numbers, it will continue to get these until the C&C either doesn't respond, or the application is closed.

“SpamSoldier also attempts to hide any evidence of malicious activity: the user won't be able to see outgoing messages, and the app also attempts to intercept any incoming SMS replies so that the user remains blissfully unaware of any problems,” it said.

“It appears that the distribution of this malware is limited. The potential impact to mobile networks may be significant if the threat goes undetected for a long period of time. The primary negative impact appears to be the large amount of SMS messages sent and the potential this has to result in charges to the user and/or a slowdown of the carrier's network. The sole infection vector appears to be spam SMS messages; we have not yet detected SpamSoldier on any major app stores.”


Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews