Maniben Connect

world of internet security, latest cyber security news,information,updates on technology,it job vacancies,internet security,breaches,and safeguards

Return of the Android SMS virus - self-spreading "Selfmite" worm comes back for more


Andr/SlfMite-A sent itself as an SMS link to your top 20 contacts, and then foisted a third party app for an alternative Android software market onto your phone.
Well, it's made a comeback that we're detecting as Andr/Slfmite-B.
This variant pretends to be a Google Plus app, though of course it is no such thing:



The modus operandi and the coding structure are similar to the SlfMite-A variant, but it's both pushier and more flexible than before.
This time, it's using a botnet-style "call home" to download data to decide what to do next, rather than having its malicious activities pre-programmed.
The downloaded control data is fetched via HTTP and includes settings such as how many SMSes to send; what SMS text to use; where to link to; and more:


SMS sending

When we looked, the SMS_LIMIT was set to 5, rather than the 20 contacts that were targeted by SlfMite-A.
We can't tell you why its virulence has been reduced since last time, but it may be cybercriminal caution following the recent Andr/SmsSend-FA virus outbreak.
SmsSend-FA was better known as the Heart App, and its aggressive use of SMS (it spread to your first 99 contacts) brought it to the attention of mobile phone operators and law enforcement very rapidly.
The Heart App's messages were quickly blocklisted and the perpetrator arrested.
There are two possible SlfMite-B SMS messages, using the "Hey, try it" and "Hi buddy" texts in the SMS_TEMPLATE data you see above.
We can't tell you what the SMS links we saw were supposed to do, because they relied on a URL shortening service (X.CO, run by GoDaddy), and they no longer redirect anywhere:



We'll assume, given the other similarities with SlfMite-A, that at least one of the SMS links was intended to spread the infection, making this variant a virus (or, more specifically, a worm) just like the old one.
Of course, the crooks could change the SMS_OFFER data and any malicious SMSes remaining in your inbox would again become dangerous.
So if you see messages like the ones shown above, be sure to delete them and don't click through, even though they seem to come from your friends.

Self-protection

Another new trick up SlfMite-B's sleeve is to copy the self-protection behaviour of the FBILock-A malware we wrote about in July, after SlfMite-A came out.
It registers itself as a device administrator, allegedly with the handy (and security-oriented) feature of improving your lock screen safety:



But this step exists only to make the malware harder to remove.
If you head to Settings | Apps and tap on the bogus "Google Plus" icon, you will find the [Uninstall] button is blanked out because of the app's device administration powers:



To sort this out, first, head to Settings | Security | Device administrators; you can then [Deactivate] the administration privileges of the malware:




Finally, head back to Settings | Apps to dispose of it:


The hard sell

Unlike the email viruses of the early 2000s, many of which existed to cause havoc merely by spreading (though what havoc that was!), SlfMite-B aims to make money.
Amongst the downloaded configuration information is a pair of data items, each of which defines:
  • A URL from which to download a graphical icon
  • A name to go with that icon
  • A URL to visit if the icon is clicked
Once downloaded, the two icons are placed in prime position on your home screen, presumably in the hope that you will click them and generate some affiliate revenue for the crooks.
The icon data our copy of the malware received during testing pitched two "products" at us:



Clicking on the Mobo Market icon downloaded an app entitled MoboMarket.apk.
This seems to be signed by Mobo Market, a Chinese company that runs an alternative Android marketplace
Clicking on the Mobogenie icon eventually redirected us to a web page urging us to sign up for a perpetual subscription SMS service (approximate cost $20/month, billed daily) under the guise of free wallpapers:




As if that weren't enough, the malware also includes code to extract and upload confidential data from your phone, such as your device ID, the phone's IMEI (International Mobile Equipment Identity, a unique electronic identifier that goes with your handset), and your entire contact list.

What to do

How to remove the fake Google Plus app is described above.
You need to revoke the app's Device Administration rights in 
Settings | Security | Device administrators, before heading to 
Settings | Apps to uninstall it.
If you installed the MoboMarket.apk as well, you probably want to uninstall it, given its association with this malware.

To prevent infection with malware of this sort:
  1. Install any anti-virus program.This can block malicious apps, malicious SMSes and malicious links, thus providing three-layered protection.
  2. Don't turn on the Android option to allow the installation of apps from unknown sources. Or, if you do, enable this feature only sparingly when you are visiting an alternative app market you trust explicitly. Turn it back off after use.
  3. Don't blindly trust SMSes or other messages simply because they come from your friends, unless you are certain that your friends are taking precautions (1) and (2)!

0 comments:

Post a Comment