14 DAY TRIAL // Security researchers have observed short text messages (SMS) claiming to be a tracking notification from DHL to deliver Android malware to German users.
The tracking notification spam is a classic on PCs, and it leveraged names of reputable couriers such as DHL, FedEx, or UPS. But since Android has become more popular among users, cybercriminals have adapted the scam to the new devices.
Researchers at McAfee Labs have noticed this trend is currently targeting users in Germany, where they receive malware stored in the cloud storage provided by Dropbox. The malicious file is an installer package with the name “DHL.apk” and it is delivered through a shared link that is masked via Google’s URL shortening service.
According to McAfee, the German SMS reads “Ihr DHL Packung ist ihnen geliefert, verfolgen Sie online über,” followed by the URL to the malicious download. Translated, this informs that the DHL parcel has been delivered and it can be tracked via the provided link.
When installed, the application purports to be Google Service Framework and takes its place on the home screen. At the first launch, the user is asked to allow it administrator privileges. This is the general behavior observed in multiple malicious campaigns against Android users.
Pretending to load the DHL tracking data, the malware, detected by McAfee as ndroid/SmsHnd.A, actually initiates a background service for establishing communication with the command and control server, from where it receives instructions on what to steal from the device.
The security researchers say that the malicious file is capable not only of leaking sensitive information (phone number, device model, IMEI, and IMSI) from the device, but also of stealing the contact list.
Moreover, the cybercriminals have devised it to be able to send short text messages with information (phone number and text) received from the command and control server.
Alternatively, it can be used for spamming the entire contact list on the infected Android with messages, which could act as a method of distribution.
“In addition to these actions, every time an SMS message is sent to the infected device (but not from any of the numbers from the victim’s contact list), it will be intercepted and forwarded to a remote server,” writes McAfee mobile malware researcher Carlos Castillo in a blog post.
One reason for this would be to intercept the two-factor authentication codes sent to the victim to log into online banking accounts.
It appears that the command and control server that receives the stolen information and delivers malicious instruction to the compromised device is located in Japan.