Premium Rate SMS Trojan Poses as Installer for Popular Applications

Security researchers from Microsoft warn of a new trojan, which poses as an installer for various popular applications and tricks users into sending SMS messages to premium rate numbers.

The monetizing method used by this new piece of malware, which Microsoft detects as Trojan:MSIL/Fakeinstaller.A, is similar to that employed by ransomware programs.

Ransomware is a term used to refer to applications that disable critical operating system functions and ask for payments in order to restore them.

This model is viewed as the next step in the evolution of scareware, which in comparison, only attempt to scare users into parting with their money.

Some ransomware variants discovered so far, particularly those targeting Russian-speaking users, ask victims to send SMS messages to premium rate numbers in order to obtain the unlock codes.

According to Microsoft, this new trojan masquerades as an installer for software like µTorrent, avast! Antivirus, DivX, eMule, or LimeWire, and is distributed from a number of domains named after those programs.

The rogue websites are probably pushed at the top of Web search results via black hat search engine optimization (BHSEO) techniques or by paying for sponsored results, as in a case we recently reported.

When ran, the user is presented with a screen, which informs them in French or English that they need to send an SMS in order to receive an installation code.

The threat targets users in Western European countries, as it lists different premium rate numbers for France, Belgium, Switzerland and Germany.

"[…] As always, we recommend that you make sure that the origin of your installer or add-on is reputable and legitimate to avoid becoming victims of these kinds of malware," the company advises via its Microsoft Malware Protection Center (MMPC) blog.

All of the programs Microsoft listed as being abused by this trojan are actually free. It's always best to obtain software directly from the developer or from trusted download websites like ours.