The popularity of “The Roar of the Pharaoh,” a legitimate Chinese game, is leveraged by cybercriminals to spread a malicious SMS-sending Trojan.Sophos experts report that the game is not hosted on Google Play, but a Trojan-infested variant has been seen on other sites that provide Android applications.
Identified as Andr/Stiniter-A, this piece of malware doesn’t request any special permissions during installation, but once it’s installed, it starts collecting sensitive information such as phone model, screen size, IMEI, IMSI, operating system version and even phone number.
After the gathered data is sent back to its operators, the Trojan starts sending SMSs to premium rate numbers, filling the pockets of the crooks while inflating the phone bills of unsuspecting users.
Researchers found that Stiniter, like many other similar Trojans, is also capable of reading SMSs, which may mean that the cybercriminals rely on the delivery reports received from the premium rate numbers to keep tabs on the number of victims they make.
The malware is called by some TGLoader because it’s designed to communicate with a number of four .com domains that contain the “tgloader-android” path.
“Criminals love the free money laundering service provided by mobile phone providers. They can setup premium rate SMS numbers in Europe and Asia with little difficulty,” Senior Security Advisor Chester Wisniewski said.
“The mobile phone companies provide the payment processing and the bad guys have their money and are long gone before you ever receive the phone bill with the fraudulent charges,” he explained.
Owners of Android devices are advised to download applications only from trusted sources to ensure that malicious elements are kept at a distance.
Also, in this particular case, those who have already downloaded the game and suspect that their phones are infected with the Trojan, should check for a service called “GameUpdateService.” If it’s running on the device, the chances for Stiniter to be accompanying it are high.
Note. My Twitter account has been erroneously suspended. While this is sorted out, you can contact me via my author profile.