Researchers at Symantec have discovered a trojan, dubbed Android.Arspam, that has been infecting mobile devices through sites devoted to Middle Eastern political issues. The trojan is a corrupted version of the popular Android Islamic compass app, which provides Islamic prayer times in various countries.
After installation of the corrupted app, the code goes to work on the device start-up, working in the background as a service called “alArabiyyah”, according to Symantec. It randomly picks one link from a list of 18 and then sends out a text message to every contact in the address book of the compromised device, sending them a link to a site that appears to be a tribute to Mohamed Bouaziz, a Tunisian street vendor who set himself on fire in protest of government repression.
“This trojan is unique because it is not trying to steal information or money from the victims. Most of the malware we see has a specific purpose which is almost always monetary”, said Vikram Thakur, principal security response manager with Symantec.
This trojan is “not trying to steal someone’s credentials to do something malicious. In this case, it is trying to spread its message", Thakur told Infosecurity.
Once installed, the trojan requests a “kitchen sink” of permissions from the user, many more than for the original app, Thakur said. “The intent is to propagate a message…related to the Arab Spring political program”, Thakur said. The user with an infected device would see a sharp jump in the monthly bill because of the volume of text message sent from the device, he explained.
Symantec said that there was an added functionality in the code: if the compromised device reports back that it was located in Bahrain, an attempt is made to download a PDF file to the device. The file was examined by Symantec and did not contain malicious code or exploits. The PDF is a fact-finding inquiry by the Bahrain Independent Commission of Inquiry on allegations of human rights violations in that country.
Cybercriminals would not be able to hijack this trojan, although they have used similar trojans to steal money by generating calls to premium numbers, Thakur said. “As far as being able to use this particular trojan to do malicious activity, that is not part of the code at this time”, he concluded.