Android Worm Masquerades as Google App

A fresh variant of an Android virus that resembles the self-propagating email worms of the early 2000s has been discovered, which pretends to be a Google Plus app.

The original version of the Selfmite bug sent itself as an SMS link to a victim’s top 20 contacts, and then pushed a third-party app for an alternative Android software market onto the mobile phone. Now, the modus operandi and the coding structure are similar to the original, but “it's both pushier and more flexible than before,” according to Sophos Security researcher Paul Ducklin.

“This time, it's using a botnet-style call-home to download data to decide what to do next, rather than having its malicious activities pre-programmed,” said Ducklin, in a blog. “The downloaded control data is fetched via HTTP and includes settings such as how many SMSes to send; what SMS text to use; where to link to; and more.”

Also, it sends itself to only five contacts now, instead of 20—presumably an anti-detection policy or, as Ducklin said, “cyber-criminal caution” after the Heart App virus’ aggressive use of SMS (it hit the first 99 contacts) raised its profile. Heart App caught the attention of mobile phone operators and law enforcement, resulting in fairly quick blacklisting, as well as an arrest.

As for goals, Selfmite version 2.0 is being used by financially motivated criminals, he noted.

“Unlike the email viruses of the early 2000s, many of which existed to cause havoc merely by spreading (though what havoc that was!), SelfMite-B aims to make money,” Ducklin said.

Amongst the downloaded configuration information is a pair of shortcut icons. “Once downloaded, the two icons are placed in prime position on your home screen, presumably in the hope that you will click them and generate some affiliate revenue for the crooks,” Ducklin said.

In one case during testing, it was a Mobo Market icon, which, when clicked, downloaded an app entitled MoboMarket.apk. “This seems to be signed by Mobo Market, a Chinese company that runs an alternative Android marketplace,” Ducklin said.

The other, a Mobogenie icon, “redirected us to a web page urging us to sign up for a perpetual subscription SMS service (approximate cost $20/month, billed daily) under the guise of free wallpapers.”

The malware also includes code to extract and upload confidential data like the device ID, the phone's IMEI and the victim’s entire contact list.

Moral of the story? “Don't blindly trust SMSes or other messages simply because they come from your friends, unless you are certain that your friends are taking precautions,” Ducklin said.

What’s Hot on Infosecurity Magazine?