Security researchers from Trend Micro have identified a new piece of Android malware capable of relaying SMS messages to and from the attacker.Detected as ANDROIDOS_CRUSEWIN.A the trojan has three components called FlashService, FlashReceiver and SMSReceiver.
The FlashService module is responsible for communicating with the command and control server. It loads on boot and downloads an XML configuration file from a predefined URL.
The configuration file allows the attacker to define a number and the SMS message the infected phone will send.
The SMSReceiver component monitors incoming messages and any received from the number defined in the configuration, is uploaded back to the server and deleted from the phone.
"
I have seen Android malware deleting SMS messages, I have seen Android malware sending SMS, but this is the first time I have seen an Android malware act as an SMS relay,"
says Trend threat analyst Mark Balanza.
The reason for this malware is not immediately clear, but it's obvious that it can be used to impersonate and spy on the victims. The abuse possibilities are varied.
For example, it could be used to subscribe victims to premium rate services that require SMS confirmation, it could be used to spy on cheating partners and send messages on their behalf or it could be used to intercept and steal mobile transaction authentication numbers (mTANs).
Unlike most Android trojans, ANDROIDOS_CRUSEWIN.A isn't attached to a legit application. It is either be installed by someone else who has access to the device for a limited period of time or by the victims themselves after being tricked regarding its purpose. The "FlashService" name and icon are obviously used for this purpose.
Users should check if they have a FlashService task running by going to Settings > Applications > Running Services. If it exists, in can be uninstalled from the Settings > Applications > Manage Applications menu.
Find us on Google+
No user comments yet.
Be the first to express your opinion!
