Stealer now continually occupies the leading positions among active threats.
In the first quarter of 2014, Stealer accounted for almost a quarter of all detected attacks, according to Kaspersky Lab Expert Victor Chebyshev.
“This SMS Trojan has actively been pushed by cybercriminals in Russia, and there have also been continual attempts to attack users in Europe and Asia”, he said in a blog. “Infections with this Trojan have occurred virtually everywhere across the globe.”
Interestingly, the bug uses the configuration file to tailor itself to its targeted population.
“The Trojan determines which region it has been launched in, and modifies the content of the short text message and the recipient number accordingly”, said Chebyshev.
Stealer spreads in the guise of a legitimate application and uses a set of functions which is fairly standard for SMS Trojans. For instance, the Trojan can send an SMS with data specified in the configuration file, delete incoming messages satisfying a mask, delete SMS filters, and send information about the phone including the current configuration, geographic coordinates, a list of applications and information about status, like whether airplane mode is on. It can also install and uninstall a specified application, display a message in the notifications area, open up a web page on the device at launch, and enable message interception and hiding mode for confirmation messages. It can also add a shortcut to the Trojan to an OS desktop.
“The attackers can therefore control the Trojan’s behavior by modifying its configuration file,” Chebyshev said. “Surprisingly, the creators of the Trojan still use this setup whereby the configuration of Trojan-SMS.AndroidOS.Stealer.a is distributed along with the Trojan. Most Trojans like this are exclusively managed online. On the other hand, this approach helps keep Stealer operational when no Internet access is available.”
Kaspersky said that it anticipates a further growth in the numbers of attempted infections involving Stealer. Chebyshev also said that the big will probably evolve. “It’s quite likely that the attackers will reduce the configuration file to a bare minimum and will manage the Trojan online, at the same time maintaining its functionality,” he said.