14 DAY TRIAL // The Carrier IQ controversy caused a lot of waves in the media and a number of companies developed detection tools that inform smartphone owners if their devices contain the spy software. Cybercriminals turned this to their advantage and released malicious versions of the tools that not only detect the presence of Carrier IQ software, but also seamlessly send SMSs to premium rate numbers.
Symantec researchers found a modified version of such an open source application that was altered and enhanced with a piece of code that turns the app into an SMS sending Trojan.
Identified as Android.Qicsomos, the app creates an icon in the phone’s menu that resembles the one of a major European telecoms operator after it’s installed.
The curious thing is that the app isn’t on Android Market, which means that the crooks that run the scheme utilize another vector to spread the malware, most probably relying on social engineering to complete their objective.
Most likely, the malicious software is served with the aid of spam emails that pretend to originate from legitimate wireless carriers, urging recipients to download and execute the app.
The piece of code that sends the SMSs to premium rate numbers steps into play when the user presses the program’s Uninstall button. A number of four SMSs are sent to a premium-rate number and only then the Trojan initiates the uninstall routine to remove the application.
This certain variant, found by Symantec experts, targets French speakers and those who have already installed it can safely remove it by using the operating system’s settings menu, instead of the uninstall feature the app offers.
The worrying fact is that the program appears to be signed with a certificate part of the Android Open Source Project (AOSP) that allows for the installation to take place without displaying the permissions notification screen that in certain cases gives away the true identity of a rogue Android software.
Fortunately, this affects only users who rely on older versions or those who utilize custom mods which reuse the published keys.