Security researchers have warned of a new SMS Android worm used by an unscrupulous ad platform user to increase their pay-per-install revenue for the legitimate Mobogenie app.
Unlike the vast majority of Android malware, Selfmite is not a Trojan but a piece of malware that propagates by text message, according to Adaptive Mobile security analyst, Denis Maslennikov.
Victims receive a message personalized with their first name, containing a shortened goo.gl link which will take them to the worm, he wrote in a blog post.
If the user decides to go ahead and download the APK file offered to them, an icon titled “The self-timer” will appear on their homescreen. Launching that program will direct the malware to scan the device address book and send a message to 20 contacts, again using their first name as a greeting.
The malware will then try to access another shortened link on the web, after which the user will be offered the option of downloading and installing another APK, this time for the Mobogenie app.
Mobogenie is a legitimate app, available in Google Play and elsewhere, designed to manage and install Android apps.
“As you might have already noticed Selfmite worm uses advertising platform to redirect users to the particular version of Mobogenie app. And this particular version of Mobogenie app will ‘click’ after the installation to a certain URL with additional device parameters in order to confirm the Mobogenie app installation,” explained Maslennikov.
“So as a result we believe that an unknown registered advertising platform user abused legal service and decided to increase the number of Mobogenie app installations using malicious software.”
Adaptive Mobile found click throughs for the goo.gl Mobogenie redirect total over 210,000, indicating that the campaign has been pretty successful thus far.
However, despite its innocuous nature, there could be unintended consequences if a user falls for the scam, the mobile security firm warned.
“The worm can use up their billing plan by automatically sending messages that they would not be aware of, costing them money,” said Maslennikov.
“In addition, by sending spam the worm puts the infected device at danger of being blocked by the mobile operator. More seriously, the URL that the worm points to could be redirected to point to other .apks which may not be as legitimate as the Mobogenie app.”
Adaptive Mobile said it had blocked any messages containing links to the worm for its customers and notified Google to disable the malicious URL, which it has done for the time being.
Malicious Android apps continued to grow in volume this year, reaching the two million mark in the first quarter of 2014, despite hitting one million just six months previously, according to Trend Micro.
Mobile ransomware such as the file-encrypting Simplocker seem to be particularly favoured by the criminal underground at the moment, although Adaptive Mobile’s Selfmite discovery has shown that criminals are determined to use any method they can to make money off their victims.