The Apple iPhone may still be the gold standard when it comes to smartphones, but the Android platform has become the playground of choice for attackers and malware authors looking to make a quick buck. The latest example is a premium-rate SMS Trojan that not only automatically sends costly SMS messages, but also prevents users’ carriers from notifying them of the new charges.
The new piece of malware, which is known as HippoSMS, has been found in unofficial Android app markets in China. Researchers at North Carolina State University came across the HippoSMS malware in some alternative Android markets, and their analysis showed that the malware is set up in sort of a classic host-parasite fashion. The malware is embedded in a seemingly legitimate application in the market, and once users download and install that app, the fun begins.
“Our investigation shows that HippoSMS directly piggybacks the host app so that when the app is launched,
it will immediately activate one service to send SMS messages to a hard-coded premium-rated
number (1066******). After that, it registers one ContentObserver to monitor incoming SMS messages.
Inside the ContentObserver, it will delete any SMS message if it starts with the number “10.”
Note that the numbers such as 10086/10010 represent legitimate mobile phone service providers in China and
are typically used to notify users about the services they are ordering and the information of users’ current
balance of their mobile phone accounts. As a result, we believe the removal of the related SMS messages
is used to hide the additional charges caused from the malware,” Xuxian Jiang, an assistant professor at NC State’s department of computer science, wrote in an analysis of the new malware.
This is just the latest in a series of similar incidents in which attackers and scammers have inserted either outright malicious apps or seemingly benign apps containing malware into app markets. Most of the attacks have targeted Android users, and several times Google has had to remove malicious apps from the official Android market. Just last month, Jiang identified another malware outbreak in the Android Market in which a piece of malware called Plankton was found in at least 10 apps. Google removed those apps from the market.
Perhaps the most infamous incident, though, was the DroidDream malware attack, in which dozens of apps in the Android Market were infected with the DroidDream Trojan and tens of thousands of users downloaded the apps, compromising their mobile devices. Google not only removed the apps from the market in those cases, but also used a little-known capability to remotely remove the malicious apps from users’ phones.
Jiang said that the new HippoSMS malware appears to affect only users in China at the moment. SMS Trojans such as HippoSMS that send stealthy texts to premium-rate numbers have become a serious problem in many European and Asian countries, including Russia, China, Ukraine and others. They haven’t made an incursion in the United States yet, but the day is young.
