Updated Android Trojan Pushed in SEO Attacks

Mobile attacks may have reached a tipping point, as researchers observe search engine optimization used to spread a malicious program for mobile devices running the Android operating system.

Mobile attacks may have reached a tipping point, as researchers observe search engine optimization used to spread a malicious program for mobile devices running the Android operating system.

One month after researchers first identified a Trojan horse program that
targets mobile devices running Google’s Android operating system, a
variant of that program, dubbed FakePlayer.b, has been identified in the wild, and is being pushed out in attacks that use search engine optimization to seed Web search results lists with links to Web pages offering the malicious program, according to researchers at Kaspersky Lab. 

FakePlayer.a was first identified on August 9. It was the first malicious program categorized as an SMS Trojan for Android devices. SMS trojans are the most common form of malware affecting mobile phones, though none had ever been detected in the wild that targeted Android phones before. 

SMS Trojans give attackers remote access to compromised phones. They can be used to spread malware between phones, by forwarding malicious SMS text messages to an owner’s contacts. Alternatively, they can surreptitiously connect to premium rate services without the owner’s consent, running up hundreds or thousands of dollars in bogus charges. 

Researchers at Kaspersky said that the new variant, dubbed Fakeplayer.b is very similar to the earlier variant, according to researcher Denis Maslennikov, who discovered and analyzed the malware variant.The application poses as a pornography media player, dubbed pornplayer.apk. The application isn’t available on the Android Marketplace, but can be found online, through Russian language Web sites offered up to Web surfers looking for online pornography. Once installed, the application sends SMS messages to premium rate numbers without prompting the phone’s owner to confirm the messages, which can cost US $6 each, Maslennikov wrote.

As with the earlier variant, Fakeplayer.b is not offered through the Android Marketplace. Instead, it must be downloaded from third party Web sites not affiliated with Google. Furthermore, Android owners must approve the installation of the application and give it access to send SMS messages.

Writing on the Kaspersky Lab research blog, Maslennikov said that the request to send and receive SMS messages should be a tip-off, as media players shouldn’t have any use for the messaging features of Android phones. 

The use of search engine optimization (SEO) techniques to promote the malware suggests that organized cyber criminals have taken an interest in the program and in getting a foothold on mobile devices, he said.

Search engine optimization has become one of the most potent weapons in the cybercriminal toolkit. Organized crime groups have shown themselves to be adept at harnessing online interest in big events – from storms to political happenings to popular culture – to put malicious Web pages in the path of curious Web surfers. 

Android use is skyrocketing, as leading handset makers latch on to the open source operating system to produce sleek, multi function devices that rival Apple’s iPhone. A recent report from market research firm IDC said that Android phones could command a 24.6% share of the mobile device operating system market in 2014 – 50% jump that would make it second only to Symbian and ahead of the current number two, RIM’s BlackBerry OS, were the IDC predictions to hold true. 

Contacted via instant messenger, Maslennikov of Kaspersky said FakePlayer.b isn’t the first mobile malware pushed out in SEO attacks, but that organized online criminal groups have only recently begun using the tried and true technique for mobile malware, in addition to PC-based malware, also.

Security experts predict that threats and attacks will follow the market, and the growing consumer shift from laptops and desktop computers to mobile devices. Researchers have raised flags about Android’s open source code and unfettered application ecosystem, which some liken to the push by Microsoft for dominance of the PC operating system in the 1990s, when features and convenience trumped security and privacy concerns.

During the course of researching the origin for the first SMS Trojan  for Android devices, I found a new Android package masquerading as a porn media player but which instead sends SMS messages to premium rate numbers.

The SMS messages cost $6 each and are sent silently in the background without the user’s knowledge.

The latest Android malware (detected as Trojan-SMS.AndroidOS.FakePlayer.b) is being distributed via clever search engine optimization (SEO) techniques, a clear sign that cyber-criminals are making every effort to infect mobile devices. The use of SEO is a significant development that confirms our belief that mobile malware – especially on Android devices – is a potentially lucrative business for malicious hackers.

Suggested articles

Discussion

Subscribe to our newsletter, Threatpost Today!

Get the latest breaking news delivered daily to your inbox.