SEATTLE — Android smartphone users beware. Spammed text messages have begun circulating that can infect your handset, causing it to continually send virulent text messages to thousands of live phone numbers each day.
That discovery comes as hackers continue to probe the Android platform, in particular, for security holes with no slowdown expected in 2013.
“The mobile threat continues to grow at a very rapid pace with threats only increasing in complexity,” says Dan Hoffman, mobile security researcher at networking technology firm Juniper Networks.
Messaging security firm Cloudmark Research recently discovered a virulent spam campaign that is sending text messages to Android users offering free versions of Need for Speed Most Wanted, Angry Birds Star Wars, Grand Theft Auto and other popular games.
By installing the free app, the user actually downloads a hidden program connecting their handset to a command and control server in Hong Kong, says Cloudmark researcher Andrew Conway. The Hong Kong server next sends the handset a list of 50 phone numbers, copies of viral messages and instructions to begin sending the messages to each of the numbers.
Previously, Android spammers had to assemble and activate dozens of SIM cards — the chip at the heart of cellphones — and each card acted as an individual spam-blasting phone. But that can get expensive, and carriers have gotten better at detecting and blocking such campaigns.
Using infected Android handsets, instead, is akin to how spammers use infected PCs to spread spam.
“If they can get their malware on a bunch of different handsets, and, indeed, have enough handsets so it’s difficult for them all to get detected and shut down, that vastly improves the economics for spammers,” Conway says.
The victim can lose in two ways. If they don’t have an unlimited texting plan, the next phone bill could be a whopper. It takes about 65 seconds to automatically text 50 phone numbers, after which the Hong Kong server sends a fresh batch of numbers. So each infected phone can blast thousands of viral text messages a day.
What’s more, the malicious program also blocks incoming messages from anyone not on the user’s contact list. “So the phone company or a friend can’t text you back and say, ‘Stop sending me spam,’” Conway says.
In such cases, the carrier could decide to unilaterally shut down the user’s text-messaging capabilities, he says.
Cloudmark estimates that only a few thousand Android smartphones have been infected, though tainted text messages continue to circulate. More worrisome is the notion that this attack could be a precursor of what’s to come in 2013, especially for Android users.
Apple, Microsoft and Research In Motion smartphones are much less targeted. That’s because Google designed Android as an open system, making it easy for handset makers and Web-application developers to jump on board. Android has become the world’s most popular smartphone platform. But it has also become the biggest hacker target.
Juniper Networks has tracked a 350% increase in malicious and invasive apps targeting mostly Android users in 12 months through the end of October. “Attacks are becoming more malicious and clandestine,” says Juniper’s Hoffman.
Conway advises Android users to stick strictly to Google’s official application store, Google Play, and ignore unsolicited offers that arrive by text message. If you see a suspicious text message offer, forward it in a text message to 7726, a free service set up by the carriers to eliminate spam.
Google Play is a “99.99% trustworthy” because the search giant is on high alert for hackers and fixes any breaches quickly.
“You’re much safer going to Google Play than from any other source, especially ones from Asia,” Conway says. “If an offer is too good to be true, it’s a fake.”