Android malware distributed by malicious SMS in France
Another Android malware is currently in the wild in France, as we have recently discovered.
This malware poses as a Flash Player installer and steals your incoming SMS messages by forwarding them to a remote server. We have named it Android/Fakelash.A!tr.spy.
Contrary to many Android malware which are downloaded from underground or legitimate marketplaces (see here, here, here, here… ), this one is propagating via a link in a SMS. For example, the victim below complains he received an SMS from 10052 saying “For proper function of your device, please download the new ANDROID Flash update at this link: http://tinyurl.com/xxxxx”.
In this particular case, the victim reports he installed the virus, but later uninstalled it because he felt somewhat uncertain about the fact the package requested many permissions and was downloaded from an unknown server.
Indeed, the malware would contact a remote server for configuration data such as incoming phone numbers to spy. By uploading a fake configuration file to our emulators, we were able to catch the packets the malware would have been sending out - of course, we blocked those outgoing packets.
On PCs, posing as Flash Player update or sending spam to get promote the malware is relatively common. On Android, it is not. For instance, malware authors prefer to infect a well-known game and post it on a third-party market place. So, it is an option that Android/Fakelash.A!tr.spy comes from a PC-virus gang who has recently taken interest into Android. If that is the case, it can only be bad news for our mobile devices…
Please be cautious with this sample because, as far as we know, apart from Fortinet, nobody detects it yet.
Finally, I would conclude with a warning to French users. Our country is not immune to mobile malware and you need to be cautious with what you see or install on your phones.
Thanks to Guillaume Lovet for his insights on this post.
– the Crypto Girl