Malware looks to be targeting Chinese users only

Jun 20, 2016 21:20 GMT  ·  By

Security researchers have discovered a malicious Android trojan codenamed Android/Trojan.Pawost that's packed inside a stopwatch app but uses Google Talk to initiate phone calls to unregistered numbers.

Pawost begins its malicious behavior after users install it. As soon as this happens, the app shows a Google Talk icon in the smartphone's notifications area. There's no text with this icon, and the notification is a dead giveaway that something is wrong and you should uninstall the app as soon as possible.

A few minutes later, the app will start making calls to several unknown numbers, using the Google Talk application.

While Pawost makes these calls, the phone's screen is turned off, but the CPU is very well alive and working.

Pawost makes calls to mysterious Chinese phone numbers

The mystery around these phone calls is that they don't go to a valid number. All start with the same sequence: 1-259.

Prepending the +1 US international prefix doesn't connect to a valid number. The area code 259 is not assigned in the US, so for sure, the campaign isn't targeting users in the country.

Since Pawost was bundled with an Android app with a Chinese interface, Malwarebytes researchers also tried adding the +86 China international prefix.

Their test phone calls connected to valid numbers but all answered with a busy line. At this point, it was clear the app was targeting Chinese users.

Pawost can also send SMS messages

Security researchers took a closer look at the Pawost malware and said that, besides placing these illegal calls, the app also included spyware capabilities.

The malware can collect data such as IMSI codes, IMEI numbers, CCID identifiers, phone numbers, phone version details, and a list of apps installed on the device.

Pawest takes this data, encrypts it, and sends it to a remote server. Furthermore, the trojan can also send SMS messages and block incoming SMS messages. Malwarebytes said they found this latter functionality in the Pawost decompiled source code but never observed it in their tests.

Whatever this is, it's definitely in its initial stages of development. By the looks of it, Pawost is set to become an Android trojan that infects Chinese users and then makes calls or sends SMS messages to premium phone numbers, helping the crooks behind this malware earn money via affiliate programs.

Some of the numbers called by the Powast malware
Some of the numbers called by the Powast malware

Photo Gallery (2 Images)

Powast malware making an illegal call
Some of the numbers called by the Powast malware
Open gallery