“A new crop of trojan mobile applications are demonstrating simple mobile botnet behavior, leveraging infected handsets to spread spam and invitations for other users to download the infected apps,” said Andrew Conway, researcher at Cloudmark, in a blog. “If you do download this spamvertised application and install it on your Android handset, you may be unknowingly loading a malicious software application on your phone which will induct your handset into a simple botnet, one that leverages the resources of your mobile phone for the benefit of the malware’s author.”
In this case, the phone will be used to silently send out thousands of spam SMS messages without the owner’s permission to lists of victim phone numbers that the malware automatically downloads from a command and control server. The trojan apps were downloaded from sites on a server in Hong Kong.
“You better have an unlimited message plan or your phone bill may come as a bit of a shock,” Conway said.
The zombie communicates with the C&C server using HTTP. Typically a message and a list of fifty numbers are returned. The zombie waits 1.3 seconds after sending each message, and checks with the C&C server every 65 seconds for more numbers. The application reloads automatically after a reboot as it installs itself as a service on the handset.
“You have to grant permission to the app to do all sorts of things that no Angry Bird should ever need to do, like surfing the web and sending SMS messages, but not many people read the fine print when installing Android applications,” Conway noted.
The campaign has been around for a couple of months in various iterations, starting out by offering a fake spamblocker (wink wink) and progressing to offering gift cards before showing up again offering games.