The Trojan is being disguised as various popular Android games

Dec 19, 2012 09:00 GMT  ·  By

Cybercriminals are using an Android Trojan masqueraded as popular games and applications to create a SMS spam botnet.

Security experts from Cloudmark have found an Android Trojan disguised as various games – such as Need for Speed Most Wanted, Angry Birds Star Wars, Grand Theft Auto 3 or Max Payne HD – being served on free application websites hosted on a Hong Kong server.

Once they’re installed on a smartphone, the malicious apps start sending out thousands of spam SMS messages to a list of phone numbers obtained by the malware from a command and control server.

The SMS messages contain links to the malicious apps. This allows the cybercriminals to increase the size of their SMS spam botnet.

“The zombie communicates with the C&C server using HTTP. Typically a message and a list of fifty numbers are returned. The zombie waits 1.3 seconds after sending each message, and checks with the C&C server every 65 seconds for more numbers,” Cloudmark’s Andrew Conway explained.

“The application reloads automatically after a reboot as it installs itself as a service on the handset.”

The evolution of this particular campaign is interesting. It was first seen on October 26, when the spammers started disguising the Trojan as anti-SMS spam software.

Since this strategy wasn’t too successful, it only lasted for one day. However, on November 10, the cybercriminals made another attempt to spread the botnet by advertising their malicious creation as popular Android games.

On November 28, they went even further and also started sending out gift card scam messages. Interestingly, the Target gift card scam we wrote about a few weeks ago seems to be the work of these cybercriminals.

While the game offers help the crooks increase the size of the botnet, these gift card scams help them earn some money by collecting personal information for affiliate programs or identity theft.

For the victims, being part of this botnet is bad because if they don’t have an unlimited SMS plan, they’re being charged for each of the messages sent out by the Trojan.

Android users are advised to beware of suspicious applications, especially if they’re advertised via unsolicited messages.