Android Targeted By SMS-Grabbing Malware

The fake software is disguised as legitimate security applications and reroutes SMS messages to Web servers.

Mathew J. Schwartz, Contributor

July 15, 2011

3 Min Read

Lookout Mobile Security Protects Android Smartphones

Lookout Mobile Security Protects Android Smartphones

Slideshow: Lookout Mobile Security Protects Android Smartphones (click image for larger view and for slideshow)

Security researchers have reported finding an early test build of SMS-grabbing malware designed to resemble a legitimate Android security application.

In particular, the Android malware attempts to fool users into installing it by trying to disguise itself as Mobile Security 9, which is legitimate mobile antivirus software from Kaspersky Lab. "The application package uses an icon similar to the Kaspersky Lab icon, but the actual functionality is far less useful than the functionality of the legitimate product," said Vanja Svajcer, a principal virus researcher at SophosLabs, who detailed the rogue application in a blog post.

"When the package is launched, the malware attempts to get the unique device ID number and transform it into an 'activation code.' The fake activation code is then displayed in a standard Android view," he said. "In the background, the application installs a broadcast receiver that attempts to intercept SMS messages and send them to a Web server set up by the attacker."

That makes the attack sound like a variation on the recently discovered Trojan spyware application Zitmo. But Svajcer said that while the functionality is similar, the malware's code doesn't provide conclusive proof of their having been developed by the same person or criminal gang.

Zitmo, which began appearing in mid-June, was disguised as an application named TrustMobile, which was available via the official Android Market. "The application has already been removed but, as it was in previous cases of malware in the Android Market, there are mirroring websites which save the information about all the programs approved by Google," said Denis Maslennikov, a security researcher at Kaspersky Lab, in a blog post.

Zitmo is short for Zeus-in-the-mobile, in reference to the mobile malware's tie-in to the Zeus crimeware kit and related botnets favored by criminals who target people's personal financial details. "Now we have Zitmo targeting four platforms: Symbian, Windows Mobile, Blackberry, and Android," said Maslennikov.

As with the fake Kasperksy application, Zitmo resembled an actual mobile security application--in this case, Trusteer Rapport. Beyond using Android Market, Maslennikov said that attackers also attempted to sneak it onto people's smartphones via related malware, which would launch when the user visited a banking website. At that point, the malware, disguised as a Trusteer security message, would ask the user to install a "new mobile app which protects your phone while working with online banking," and then query the mobile operating system their phone used. If the user selected "Android," they would be redirected to a website that hosts the malicious Android application, and asked to download and install it.

Black Hat USA 2011 presents a unique opportunity for members of the security industry to gather and discuss the latest in cutting-edge research. It happens July 30-Aug. 4 in Las Vegas. Find out more and register.

About the Author(s)

Mathew J. Schwartz


Mathew Schwartz served as the InformationWeek information security reporter from 2010 until mid-2014.

Never Miss a Beat: Get a snapshot of the issues affecting the IT industry straight to your inbox.

You May Also Like

More Insights