Trend Micro spots Android malware acting as SMS relay

According to Mark Balanza, the security vendor's threats analyst, the new type of Android malware - unlike previous Android-specific threats he and his team have seen - does not piggyback on legitimate Android apps.

Once installed, he says, ANDROIDOS_CRUSEWIN displays a blank window for a split second and then closes it immediately.

"This malware installs a service called `FlashService' and employs two receivers called `FlashReceiver' and `SMSReceiver' which are triggered after boot up and when an SMS is received, respectively", he says in his latest security blog.

FlashReceiver, which is run after booting up, says Balanza, starts the FlashService module.

Receivers, he asserts, are functions that are executed when a specific intent is received. For simplicity, he explained, you need to think of an intent as an event.

When an SMS is received, he says, the operating system will broadcast the event, triggering the execution of all functions that are supposed to be executed every time the event occurs.

Balanza claims that the FlashService service is responsible for communicating with its server, connecting to a crimeware URL on the Android device's bootup in order to download an XML configuration file.

So why does the malware behave this this way?

According to the Trend Micro researcher, the malware can be used by cybercriminals in one of three different ways

"First, it can be used to abuse premium services. The malware author can command the backdoor to enrol the affected device on a specified premium service. The user will not have any idea that [their device] has already been enrolled since the SMS notifications from the said service are also deleted by the malware", he says.

"Second, it can be used to spy on the targeted device. The malware author can set a specific number. Once an SMS message is received from that number, the SMS body is uploaded to its server", he adds.

The Trend Micro threat analyst says that, lastly, the malware can be used as an SMS relay (like a proxy server for SMS). The malware author can then send and receive SMS messages through the affected device.

Infosecurity notes that this particular type of malware cannot be readily detected by all IT security apps for the Android platform.

Balanza says that users need to go to Settings>Applications>Running Services and check for the existence of an application with `FlashService' as its service, and `com.flashp' as its process.

If found, he says that users can manually remove the malware from their system by going to Settings>Applications>Manage Applications, and then uninstall the application.

What’s hot on Infosecurity Magazine?