It targets users in Russia only, also includes an SMS worm that allows it to spread to other Android devices

Apr 27, 2016 08:26 GMT  ·  By

Security researchers have discovered a new Android malware family that's being spread using SMS spam messages and has been secretly stealing money from victims' bank accounts after infecting their devices.

At the time of writing, this malware family which FireEye researchers have named RuMMS has targeted only users living in Russia. The first infections hit users on January 18 and have continued until late April.

FireEye says it managed to track down at least 2,729 victims since it first discovered the threat. There were 380 infections in January, 767 in February, 1,169 in March, and another 413 in April.

Beware of SMS spam

RuMMS doesn't use a complex distribution system. There's no zero-day vulnerabilities, no Web-based exploits, no malvertising attacks.

Crooks targeted users with basic social engineering attacks, sending only a simple SMS that lures the victim onto a website, with the promise of seeing a recent MMS message he received from a friend.

The website asks the user to download an app to view the MMS, which in fact is the RuMMS malware. This app asks for admin privileges when installing, which most users tend to give.

Once this happens, the malware's first actions are hiding its icons from view, starting collecting data about each victim, and sending it to a C&C server.

RuMMS is specialized in stealing money from victims

From this point on, the malware will start acting as a fully-fledged banking trojan. RuMMS will query various online services to see if the user has bank accounts, and will try to authenticate using the data found on the device.

The trojan is capable of intercepting SMS and voice-based two-factor authentication mechanisms, allowing it to pass through the best security measures banks can deploy.

Researchers said that during their investigations, RuMMS never stole more than 600 Ruble ($9 / €8) from victims. Taking small sums allows the attacker to hide the money among a user's regular credit card transactions, which are usually about the same size.

Mass-messaging your friends

In order to spread to as many devices as possible, RuMMS will also carry out one last operation, and that's to access the victim's contacts list and send out mass SMS messages, with the same spam message the victim received earlier.

This dirty trick ensures that the crooks behind this operations don't have to rely on their own data banks to infect users, and will count on the malware self-propagating, just like a classic worm virus.

At the time of writing, FireEye says they've detected around 300 different versions of the malware, and that all domains where the malicious APK was once hosted are now clean and harmless.

RuMMS mode of operation
RuMMS mode of operation

Photo Gallery (2 Images)

New RuMMS Android trojan targets mobiles in Russia
RuMMS mode of operation
Open gallery