According to Mark Balanza, malware monitoring for messages sent to an infected Android device is something that he and his team have seen before, but monitoring for keywords in the text messages is a new approach.
The trojanised malware – Androidos-Pirates.A - seen in the wild, says the Trend Micro researcher, is a recoded edition of Coin Pirates, and available on a Chinese Android Market, although the infected version has since been removed from the Market concerned.
Once installed, the malware code registers three receivers: BootReceiver, AlarmReceiver, and SMSReceiver.
BootReceiver and AlarmReceiver, says Balanza, are both responsible for starting the service MonitorService, which enables the malware to communicate with its malicious server.
“SMSReceiver, on the other hand, executes everytime an SMS is received”, he adds in his latest security posting.
Balanza goes on to say that, once the receivers are installed, the malware generates a variety of information – including device model, the version of the software development kit and the IMEI and IMSI serial numbers of the mobile device – and relays this data to the hacker's remote servers.
As previously reported by Infosecurity, the IMEI/IMSI pairs are the identifiers that mobiles use when authenticating themselves to the mobile networks, and could be used by fraudsters to make calls charged to the legitimate owner's account.
As well as monitoring for keywords, Balanza says that the malware is also capable of generating text messages to a specified number, as well as adding a bookmark to the device’s browser, with specifics of both the text message and the bookmark URL depending on the response from the server.
“Users can check if they are affected by going to Settings>Applications>Running Services and check if MonitorService exists”, he says, adding that infected users can also manually remove the malware from their system by going to Settings>Applications>Manage Applications and then uninstall the malicious app.