SMS Trojans Spreading to the Rest of the World

ID THREATPOST:0BD898492E3C29C20740171D538A0708
Type threatpost
Reporter Dennis Fisher
Modified 2013-04-17T16:33:17


SMS trojanSMS Trojans that ride along on supposedly benign mobile apps and then send out messages to high-priced numbers have been a problem in some Asian and Eastern European countries for several years now, most notably in Russia and China. But now the attackers have realized that there’s a whole big world of users out there to target and have begun going after people in other countries with new strains of SMS malware.

A new SMS Trojan that has been seen in some limited infections so far, is targeting users in a number of European and western countries right now, including Belgium, Canada, France, Germany, Luxembourg, Spain, Switzerland and the UK. The Trojan has a couple of main functions, each of which is designed to deceive the user and surreptitiously run up charges on her mobile bill.

The Trojan has been seen thus far hiding inside an app that supposedly monitors the victim’s SMS and data usage on the device.

The Android app has shown up on file-sharing sites under the name SuiConFo.apk, according to research by Kaspersky Lab researcher Denis Maslennikov, and once it’s installed on a victim’s device, it will initially display an error message saying that the user’s device isn’t compatible with the app. That’s just the beginning, however.

“Right after displaying this message the Trojan will call the public method getSimCountryIso in the TelephonyManager_class in order to retrieve the ISO country code of the SIM card,” Maslennikov wrote. “After defining the country and, therefore, the number and message text, the Trojan will send 4 SMS messages with the help of the _sendTextMessage method. SMSReceiver.class is responsible for hiding incoming SMS messages from particular numbers. If there is an incoming SMS message from one of the following numbers: 81001, 35064, 63000, 9903, 60999, 543, 64747, then the Trojan will try to hide it using the abortBroadcast method. The number itself is retrieved from the SMS message with the help of getDisplayOriginatingAddress.”

So the Trojan will remain in the background, checking for incoming messages from specific SMS numbers, and will then hide those messages from the user so she isn’t aware of the infection and the fact that outgoing messages are being sent to premium-rate numbers. The charges for those messages can accumulate quickly, and if the user isn’t aware that they’re being sent, it can be an expensive infection.

Researchers have found similar SMS Trojans going after users in the United States, the UK and the Netherlands in recent months, but infections have been limited so far. That may well change as the popularity of Android devices–which have been the main target for SMS Trojans–continues to increase.