Android apps with Trojan SMS malware infect 300,000 devices, nets crooks $6m

A new wave of Trojanised Android apps have infected at least 300,000 smartphones and tablets, according to security researchers at Panda Labs.

Panda Labs technical director Luis Corrons revealed the crime wave in a blog post, warning that the 300,000 figure is a conservative estimate. "Our Panda Mobile Security research team has found a new threat that has infected at least 300,000 people, although that number could be four times higher – 1,200,000," read the post.

The apps reportedly infect users' handsets via a bogus permissions notification, which when agreed to instigates a complex process that forces the victim to send text messages to a premium-rate number owned by the hackers.

"Without the user's knowledge the app will get the phone number of the device, will go to a website and will register it to a premium SMS service. This service requires a confirmation to be activated, which means it sends an SMS to that number with a PIN code," explained the post.

"This app waits for that specific message, once it arrives it intercepts its arrival, parses it, takes the PIN number and confirms your interest in the service. Then it removes it, no notification is shown in the terminal and the SMS is not shown anywhere. Again, all this is done without the user's knowledge."

Corrons said the campaign has already earned the criminals millions of dollars in revenue. "They charge a lot of money for this premium SMS service, if we make a conservative estimate of $20 charged by terminal, we are talking of a huge scam that could be somewhere between $6m and $24m," he said.

Corrons said the apps will undoubtedly earn criminals more money, warning they are all still available for purchase on the Google Play store. However, at the time of publishing we could not find the apps on the Google Play store.

He said the applications' success is largely due to a lack of security awareness from Android users, and that even basic measures could drastically reduce the apps' effectiveness.

"Whatever security solution you use – if any – please always read the permissions needed to install each application and if among them it is the one letting the app read your SMS and connect to internet and it is not really needed, do not install it," he said.

Trojan apps are a growing problem in the Android ecosystem. Because of the open nature of Android, criminals are able to create and sell malware-laden applications on a variety of third-party marketplaces with relative ease. Network giant Cisco estimated in January that 99 percent of all mobile malware is designed to target Android.

• Tweet  
• Facebook  
•  
•  
• Save this article  
• Send to  

• Topics
• Security
• Mobile Software
• Android
• malware
• cyber-crime
• Hacking
• Apps
• Smartphones