Forget the selfies for a minute. If you are an Android user you need to be more concerned about a piece of mobile malware known as Selfmite that spreads using SMS by tricking users into installing a worm app, according to mobile network protection and security firm Adaptive Mobile.
That worm app propagates by automatically sending text messages to contacts in the infected phone’s address book. Next, the worm requests users install a legitimate app via an advertising platform. Every time the app is installed the worm’s author gets paid.
“At the moment North America seems to be the most targeted territory,” said Denis Maslennikov, a Security Analyst at AdaptiveMobile. The worm was first discovered in the U.S. where it seems concentrated, but AdaptiveMobile reports activity from a dozen countries around the world.
Abusing Legal Services
“SMS worms for Android smartphones have previously been rare, but this and the recent Samsapo worm in Russia may indicate that cybercriminals are now starting to broaden their attacks on mobile phones to use different techniques that users may not be aware of,” said Maslennikov.
The firm reports Selfmite spreads by sending users the following SMS, which contains a URL that redirects to the malware: ‘Dear [NAME], Look the Self-time, http://goo.gl/[REDACTED]'. If a user clicks on the goo.gl shortened link, he is invited to download and install an APK file that appears as an icon on his smartphone menu after installation is complete.
“There is a monetization aspect to this worm,” said Maslennikov. “To redirect users to the Mobogenie app, the Selfmite worm uses an advertising platform, therefore we believe that an unknown registered user of the advertising platform abused a legal service and attempted to increase the number of Mobogenie app installations using malicious software.”
Beyond impacting a user's billing plan by automatically sending spam messages, mobile operators that pick up on the rush of activity could block the user’s device from the network. AdaptiveMobile has contacted Google and the malicious URL has already been disabled.
Nothing New, but Still Troublesome
We caught up with Chester Wisniewski, a senior security advisor at Sophos, to get his take on the SMS malware. He told us attempts at spreading malware through instant messages, Facebook chats and SMSs are nothing new.
“These types of attacks have had success on PCs for years," he said. "And just like the migration of ransomware and fake antivirus from PC to mobile, it is not surprising to see this tactic migrate as well.”
According to Wisniewski, these packages are being distributed "off-market." That means victims need to have already disabled safety features on their Android devices to get infected.
“The relationship to ad networks distributing legitimate apps later was actually discovered by one of our researchers, Rowland Yu, and presented at last year's Virus Bulletin conference in Berlin. His presentation focused on GinMaster and how it was monetized,” Wisniewski said.
“Installing non-Google Play apps is a bad idea and clicking links in SMSs is ill-advised as well. If you are concerned, this might be a good time to load an antivirus app on your mobile," he added.