A new form of Android malware can sneak onto your phone, show up as an icon resembling the Android app store known as Google Play — and send your phone number to criminals, who can then use it to send out text messages or launch a Distributed Denial of Service (DDoS) attack.
Russian security firm Doctor Web has issued a warning about the Trojan known as Android.DDoS.1.
“It is not quite clear yet how the Trojan spreads, but most probably criminals employ social engineering tricks and disguise the malware as a legitimate application from Google,” the security firm said on its site.
Once Android.DDoS.1 is installed on a phone, it creates an application icon that looks like that of Google Play’s. “If the user decides to use the fake icon to access Google Play, the original application will be launched, which significantly reduces the risk of any suspicion,” Doctor Web says.
The Trojan’s activities “can lower performance of the infected handset and affect the well-being of its owner, as access to the Internet and SMS are chargeable services,” the security firm says. “Should the device send messages to premium numbers, malicious activities will cost the user even more.”
How do you know whether you have this truly bad boy? You could install mobile security software. Doctor Web’s software can identify the Trojan, and it’s likely that mobile software from other firms including Lookout, Kaspersky, McAfee or Norton, can, or will soon, do the same.
As Kaspersky noted recently on its blog, “Cybercriminals love to offer their infected programs directly through the Google Play applications store … The first case of this was reported back in March 2011, and since then malware has appeared regularly in this online store. A combination of insufficient analysis of the apps on Google Play and customers’ continuing confidence in it as a safe source of software, means malware can survive there for days — sometimes weeks — infecting many devices.”
The Federal Trade Commission also recently posted a free Smartphone Security Checker for users of Android, as well as Apple’s iOS, BlackBerry and Windows phones. This online tool takes consumers through a 10-step security checklist tailored to their smartphone’s operating system. Even though it does not place malware protection software on your phone, it’s a good place to start.
A new trojan for Android has been discovered that can help carry out Distributed Denial of Service (DDoS) attacks. The malware is also capable of receiving commands from criminals as well as sending text messages for spamming purposes.
The threat, detected as “Android.DDoS.1.origin” by Russian security firm Doctor Web, likely spreads via social engineering tricks. The malware disguises itself as a legitimate app from Google, according to the firm.
Once the app is installed, it creates an icon that resembles the one for Google Play. Tapping this icon will still launch Google Play, reducing suspicion that something isn’t right.
After it is launched, the trojan immediately tries to connect to its Command and Control (CC) server. If successful, it sends the victim’s phone number to the criminals and then awaits instructions sent by SMS. The malware has two main functions: attack a specified server (criminals send over its address and the port), and send a text message (criminals send over the message text and the number to which it should be sent).
When it receives a DDoS attack command, the malware starts to send data packets to the specified address. One user won’t be able to hurt a site single-handedly, but if criminals have got the malware onto enough Android devices, they could potentially take down a site if if a critical mass of infected phones and tablets target it at the same time.
When it receives a command to send an SMS, it immediately spams the recipient. The infected device can hurt its victims not just by significantly reduced performance, but by unexpected charges for accessing the Internet and sending text messages.
Doctor Web notes Android.DDoS.1.origin’s the code of is heavily obfuscated, meaning its creators want to hide its true function. This shouldn’t be too surprising given that the threat can clearly be used for attacking websites (for competitive reasons, political motives, and so on), spamming products, or simply generating revenues by sending large amounts of text messages to premium numbers.
It’s important to note that we haven’t seen any indication that this threat is spreading quickly or that it is being widely distributed. That being said, it is still interesting to see Android malware used as a DDoS attack tool.
Image credit: Ali A