FireEye researchers have analyzed the threat and even helped in disrupting it

Dec 16, 2013 12:56 GMT  ·  By

Researchers from FireEye have been monitoring a mobile botnet which they say is one of the largest in the world. Dubbed “MisoSMS,” the threat is said to have been utilized in at least 64 spyware campaigns.

According to experts, the MisoSMS malware (Android.Spyware.MisoSMS) that powers the botnet is designed to steal text messages and send them back via email to command and control (C&C) servers located in China. A total of over 450 unique email accounts have been used by the cybercriminals.

Most of the devices infected with MisoSMS are located in Korea. The attackers have logged in to the C&C servers that store the loot from a number of locations, including Korea and mainland China.

FireEye has been collaborating with Korean law enforcement authorities and Web mail vendors from China in an effort to disrupt the threat’s C&C infrastructure.

All of the 450 email accounts spotted by experts have been deactivated. The good news is that the attackers don’t seem to have attempted to register new ones. Just in case, FireEye says it continues to monitor the evolution of the cybercriminal operation.

The MisoSMS malware is distributed as an application called Google Vx. During installation, it requests administrative privileges to ensure that it can hide its presence.

After the malware is installed on Android devices, victims are presented with an error message which says that the file is damaged and can’t be used. It might appear to the victims that nothing has been installed on their devices.

Once MisoSMS infects a device, it launches three services in the background. One of them is MisoService, from which the threat gets its name. The other two are RollService and BaseService. Each of them is responsible for certain tasks.

Additional technical details on MisoSMS are available on FireEye’s blog.