Android Worm Dangles Pictures to Lure Users to Click

Robert Lipovsky, a security researcher at ESET, first detected this interesting new piece of Android malware, dubbed Android/Samsapo.A. It uses a social engineering technique typical of computer-based worms to spread itself, making use of the intelligence behind smartphones.

When running on an Android device, it will send an SMS message that says, “??? ???? ?????” Translated from the Russian, it means, “Is this your photo?” Then, tantalizingly, it will include a link to the malicious APK package that, when downloaded, will send the worm out to all of the user’s contacts.

“This technique wouldn’t raise an eyebrow on Windows, but is rather novel on Android,” Lipovsky said.

He added, “The main characteristic feature of any computer worm is that it uses a more-or-less automated mechanism for spreading and finding new victims. The more automated kinds are able to crawl networks and infect vulnerable hosts, whereas the more common types usually spread either as email attachments (although typical mass-mailing worms are quite uncommon today), through removable media (likewise, spreading via autorun.inf files is also on the decline) or through URL links in emails, instant messaging or Facebook messages (or other social networks).”

This particular worm is set up to do some damage. It can act as spyware to upload personal information from the device, including phone numbers and text messages, to a remote server, be an SMS Trojan to register the phone number into a premium-rate service, and can download additional (malicious) files from specified URLs. It can also block phone calls and modify alarm settings.

It’s also hard to spot, since it tries to appear as a system utility: the package name is “com.android.tools.system v1.0,″ Lipovsky noted. It also has no GUI and no icon in the application drawer.

It appears to be a recent addition to the threat landscape; the attacker’s domain that serves as a drop-zone for the Android malware was registered on April 24, 2014. For now, the worm is targeted mostly against Russian Android users but it could evolve to other regions quickly.

To stay protected, users should avoid clicking on any link in any medium that they’re not expecting and haven’t vetted; and, they should restrict the installation of applications from unknown sources and install an anti-malware package.

What’s hot on Infosecurity Magazine?