Android malware distributed by malicious SMS in France
| September 21, 2012
| Category: Security Research
Another Android malware is currently in the wild in France, as we have recently discovered.
This malware poses as a Flash Player installer and steals your incoming SMS messages by forwarding them to a remote server. We have named it Android/Fakelash.A!tr.spy.
Contrary to many Android malware which are downloaded from underground or legitimate marketplaces (see here, here, here, here… ), this one is propagating via a link in a SMS. For example, the victim below complains he received an SMS from 10052 saying “For proper function of your device, please download the new ANDROID Flash update at this link: http://tinyurl.com/xxxxx”.
Victim complaining of infection by Android/Fakelash.A!tr.spy
In this particular case, the victim reports he installed the virus, but later uninstalled it because he felt somewhat uncertain about the fact the package requested many permissions and was downloaded from an unknown server.
Indeed, the malware would contact a remote server for configuration data such as incoming phone numbers to spy. By uploading a fake configuration file to our emulators, we were able to catch the packets the malware would have been sending out - of course, we blocked those outgoing packets.
The malware is forwarding an incoming SMS to a remote server (censored URL). The text of the SMS was “hithere”, and the SMS was sent by phone number “1234
On PCs, posing as Flash Player update or sending spam to get promote the malware is relatively common. On Android, it is not. For instance, malware authors prefer to infect a well-known game and post it on a third-party market place. So, it is an option that Android/Fakelash.A!tr.spy comes from a PC-virus gang who has recently taken interest into Android. If that is the case, it can only be bad news for our mobile devices…
Please be cautious with this sample because, as far as we know, apart from Fortinet, nobody detects it yet.
Detection coverage as of Sept 20, 2012
Finally, I would conclude with a warning to French users. Our country is not immune to mobile malware and you need to be cautious with what you see or install on your phones.
Thanks to Guillaume Lovet for his insights on this post.
– the Crypto Girl
Axelle Apvrille
| September 21, 2012
| Category: Security Research
Twitter
Facebook
LinkedIn
Youtube