Security firm Lookout has identified a new variant of the bug that gives remote attackers the ability to make phone calls (possibly to premium-rate numbers) without user intervention.
This never-before-seen functionality “represents a significant jump in functionality compared to more common premium-rate fraud that relies on SMS functionality,” said Lookout researcher John Gamble, in a blog. And it’s gravy on top of existing capabilities: Like all members of the Mouabad family, Mouabad.p also allows remote attackers to send SMS messages and control various settings related to premium SMS billing.
And worse, in theory, the dialing functionality could also be used for other malicious purposes such as remotely spying on conversations within the vicinity of a device microphone, or simply running up a victim’s wireless bill, he noted.
The firm is calling the evolved bug Mouabad.p, and noted that it is particularly sneaky and effective in its aim to avoid detection. In particular, it waits to make its calls until a period of time after the screen turns off and the lock screen activates – so users are none the wiser. Mouabad.p also ends the calls it makes as soon as a user interacts with their device (e.g., unlocks it).
Victims aren’t completely blind though: the variant does not appear to have the ability to modify call logs so users can uncover Mouabad.p’s dialing activity by checking their call histories.
Lookout detection volumes of Mouabad.p are low and restricted primarily to Chinese-speaking regions. For now, but in general, the risk of infection is low. Gamble noted that Mouabad.p only works on Android versions older than 3.1. And, “since premium-rate SMS and telephone calls rely on country-specific phone numbers Mouabad.p will not function outside of targeted countries so there is no incentive for the attackers controlling it to allow it to spread outside these regions,” he said.
The command-and-control server is currently down so the exact dialing targets are unknown, he added, “but targeting premium rate telephone numbers could offer the attackers an effective monetization strategy and would be a logical extension of the Mouabad family’s predilection for premium-rate fraud,” he said.
To stay safe, as always, consumers should only install apps from trusted stores, and should make sure that the Android system setting ‘Unknown sources’ is unchecked to prevent dropped or drive-by-download app installs. Mobile security software is a great idea too.