14 DAY TRIAL // It seems that previous iterations of the Android SMS trojan have had some success, because its creators now launched a third variant featuring a secondary premium rate number.
The first version of this trojan, which is delivered as an APK package, was discovered by researchers from Kaspersky Lab at the beginning of August.
The Russian antivirus vendor named the new threat Trojan-SMS.AndroidOS.FakePlayer.a, because it posed as a movie player application.
The second variant, Trojan-SMS.AndroidOS.FakePlayer.b, appeared in September and saw a few modifications, especially regarding its distribution.
Its creators began spreading it through black hat search engine optimization (BHSEO) campaigns, that targeted adult content-oriented keywords.
The rogue application's name changed from MoviePlayer to P*rnoPlayer [censored intentionally] and its icon was replaced with an adult-themed picture.
The new iteration keeps in line with the previous design choice, but the icon reverted back to the original play button image.
While the previous version sent $6 SMS messages to a single premium rate number, the new variant uses two, 7132 and 4161. Both work only in Russia.
Android displays warnings during installation about the OS features application try to access, but unfortunately, not many users pay attention to them.
In this case, the trojan asks permission to modify/delete SD cards contents, send SMS messages, as well as read phone state and identity.
Android's ever growing market share makes it an attractive target for malware writes, who usually attack platforms used by a large number of users.
Also, unlike locked down platforms, such as iOS (used by iPhones) or BlackBerry OS, that allow only pre-approved applications to be installed, Android accepts self-signed code.
However, not only Android users are targeted in this attack. "If you go to a website which is spreading Trojan-SMS.AndroidOS.FakePlayer.c using a mobile web browser, such as Opera Mini for instance, you will be offered a link to download J2ME application – which happens to be a Trojan we detect as as Trojan.SMS.J2ME.Small.r," warns Denis Maslennikov, a Kaspersky Lab expert.