Android platform has become the playground of choice for attackers and malware authors looking to make a quick buck. The latest example is a premium-rate SMS Trojan that not only automatically sends costly SMS messages, but also prevents users' carriers from notifying them of the new charges.
The new piece of malware, which is known as HippoSMS, has been found in unofficial Android app markets in China. Researchers at North Carolina State University came across the HippoSMS malware in some alternative Android markets, and their analysis showed that the malware is set up in sort of a classic host-parasite fashion. The malware is embedded in a seemingly legitimate application in the market, and once users download and install that app, the fun begins.
"Our investigation shows that HippoSMS directly piggybacks the host app so that when the app is launched, it will immediately activate one service to send SMS messages to a hard-coded premium-rated number (1066******). After that, it registers one ContentObserver to monitor incoming SMS messages. Inside the ContentObserver, it will delete any SMS message if it starts with the number "10." Note that the numbers such as 10086/10010 represent legitimate mobile phone service providers in China and are typically used to notify users about the services they are ordering and the information of users' current balance of their mobile phone accounts. As a result, we believe the removal of the related SMS messages is used to hide the additional charges caused from the malware," Xuxian Jiang, an assistant professor at NC State's department of computer science, wrote in an analysis of the new malware.
ABOUT THE AUTHOR