Name of the payload changes for each download

Apr 24, 2015 09:40 GMT  ·  By

Android users in China landing on a fake page with smut content are tricked into installing an SMS Trojan that generates fraudulent transactions and confirms them by replying to purchase validation messages.

The malware piece subscribes the user to services offering adult content or on-demand videos, and it can send premium-rate messages.

Name of the malicious app is dynamically generated

Once the potential victim reaches the malicious web page, they are asked to download an app in order to get access to the content. The software is obtained from a third-party store and its name is dynamically generated for each download request.

Researchers at Zscaler say that this tactic is most likely adopted to evade detection based on blacklists with known names for malicious apps.

The activity of the malware on a compromised device includes intercepting SMS content received by the victim, and determining its origin and content in order to check if it matches a hard-coded list.

The Trojan sends messages that subscribe the victim to services controlled by the attackers. When the purchase confirmation message arrives, it is validated and the charges are made in the name of the victim.

Researchers say that “the malware also leverages the International Mobile Subscriber Identity (IMSI) property for determining the location of the device, as well as service provider information.”

SMS fraud widely used against Android users

They were able to gain access to the command and control (C&C) server the Trojan reports to, due to lack of authentication in certain web pages. Among the options present in the administration panel there is viewing the current list of instructions, adding new commands and checking various statistics.

Zscaler notes that SMS fraud continues to be the most prevalent form of monetization they see and that it is almost always associated with the Android platform; this shows that Google’s OS is the one preferred by the cybercriminals because there are plenty of unofficial app stores that can be leveraged for malware distribution.

As always, the recommendation is to stick to properly curated marketplaces for getting Android apps, such as the official Google Play and Amazon Appstore.