The Android malware, first highlighted by researcher Xuxian Jiang at North Carolina State University, was uncovered on a third-party marketplace and is bundled with a legitimate application for configuring phone settings, Symantec researcher Cathal Mullaney wrote in a blog.
The total number of infected Android devices connected to the botnet is estimated at hundreds of thousands, with 10,000 to 30,000 infected devices able to generate revenue on any given day, Mullaney wrote. The botmaster has been operating since September last year.
Revenue is generated through premium text messaging, phone, and video services, but the malware is limited to the networks of China’s two largest mobile carriers.
Mullaney explained that once the malware is installed on the Android phone, an outbound connection from the infected phone to a remote server is generated.
“The malware posts some user and phone-specific data to the remote address and attempts to download and run an APK file from the server. The downloaded file is the second stage in the malware and is a Remote Administration Tool (RAT) for Android, detected as Android.Bmaster. This type of malware is used to remotely control a device by issuing commands from a remote server”, the Symantec researcher related.
“This is not the first example of an active, revenue-generating Android botnet we have seen. However, considering the huge market for Android apps, the availability of third-party app stores without security checks, and the massive revenue which can be generated from this type of botnet, Android.Bmaster’s million-dollar botnet certainly won’t be the last”, Mullaney concluded.