A rudimentary, SMS-based botnet is ensnaring Android users into its web with a series of text messages offering free downloads for popular, paid gaming applications, according to Cloudmark researcher Andrew Conway.
The Trojan applications are reportedly mimicking games such as The Need for Speed Most Wanted, Grand Theft Auto 3, Max Payne HD, and Angry Birds Star Wars. Some users are apparently finding the deals too good to pass up, and, because the apps aren’t coming from the official Google Play Store, the malicious application is prompting them to go into the applications sub-section of their device’s settings menu and enable a feature that lets the device download apps from “Unknown Sources.”
Beyond this, the apps are requesting uncharacteristic permissions such as the ability to surf the Web and send SMS messages. Conway said an Angry Birds app would never request these sorts of permissions, but also concedes that most people don’t read the fine print when installing Android apps.
Once a user downloads the Trojan, it phones home to a command and control server that sends the device a list of phone numbers as well as the contents of the SMS messages that the infected device will soon begin spamming out. The device continues informing its C&C server with each message sent.
Conway writes that the zombie device, now sending out a spam message every 1.3 seconds, contacts the C&C over HTTP every 65 seconds for a new spam message and list of numbers. On average, the C&C is serving 50 mobile phone numbers to its zombies at once.
The first version of the SMS spam messages surfaced in late October. Ironically, and unsuccessfully for that matter, they attempted to lure in victims by offering a bogus SMS spam blocking app. The second, more successful fake game peddling version emerged in November. The second variety also offered free gift cards in an attempt to pilfer personal information for affiliate programs.
A server in Hong Kong is hosting the malicious applications, according to Conway.
You can find a list of identified Trojan apps and distribution URLs along with Conway’s write-up.