Android SMS Trojan Texts Its Way to Profit

Google is increasingly concerned about malware apps cropping up in its Android OS.  It recently executed remote kill of an app for the first time due to concerns that it was malware.  More recently at the Black Hat security conference, concerns were raised when it was shown that a series of wallpaper apps were sending users’ SIM card number, subscriber identification, and voicemail passwords to a Chinese server.

Now Google has been hit with its first full-fledged trojan malware.  The trojan is known as SMS.AndroidOS.FakePlayer.a and disguises itself as a harmless media player application.  Users who install the 13 KB file, which comes with the default .APK extension their phone is essentially “infected”.

The installed trojan app launches and begins sending SMS texts to premium numbers, slowly texting its way to profit — and big bills for infected users.

The new malware is the first such trojan — a program masquerading as a innocent program that bears malicious purposes — to see mass distribution to Android phones.  There have been a handful of malware app written for Android since 2009 — including some that could be classified as trojans.  However, many of these were written by security researchers, and none of them saw mass distribution.

Denis Maslennikov, Mobile Research Group Manager at Kaspersky Lab, “The IT market research and analysis organization IDC has noted that those selling devices running Android are experiencing the highest growth in sales among smartphone manufacturers. As a result, we can expect to see a corresponding rise in the amount of malware targeting that platform.  Kaspersky Lab is actively developing technologies and solutions to protect this operating system and plans to release Kaspersky Mobile Security for Android in early 2011.”

Fortunately, unlike the more insidious handiwork of its PC brethren, the FakePlayer.a trojan is easily avoided if you just are careful not to authorize the installation of untrusted apps.  Further, even after the install is started, you have to grant the app access to phone features, which includes premium SMS texts.  The danger here is that many people just blindly click through these permissions dialogs, but if you exercise caution the threat can be averted here as well.

In related news, a Chinese advocacy group contacted us about the wallpaper app claiming that it was not malware as some felt the Black Hat researchers inferred.  They claim that this story was blown out of proportion due to nationalistic sentiments towards China.  They did not however, offer any explanation as to why the app was taking people’s voice mail passwords.

Charles Liu, a Chinese-American Community Activist from Seattle, Wash. writes:

[N]ote your article is inaccurate, that the Android wallpaper app being malicious was mis-reporting by Venture Beat, which they have corrected.

Also the wallpaper app has been declare safe by Google and reinstated in Market.

The truth is no data were ever stolen; only phone info for personalization feature were collected with user approval.

This story was overblown from the getgo, predicated on some rather stereotype “China FUD”. I mean are all servers in China inherently evil?

A quick glance at the VentureBeat piece does show that they have added a line that security researchers at Lookout haven’t yet detected malicious behavior.  Yet the overall conclusions remain the same and it still makes the app sound suspicious — particularly its ability to send your voicemail password to China — which seemingly has nothing to do with its base functionality.  Google apparently agreed as it suspended multiple apps over the incident, though some indeed appear to be reapproved (though they may have been modified before the reapproval).