Android botnet poses as Google app, pilfers email and SMS

Android botnet poses as Google app, pilfers email and SMS

Summary: New Android malware captures all the victim's SMS and shoots them off to the attacker's email accounts.

SHARE:
9

Security researchers have fingered Chinese cybercriminals as the source of newly-discovered Android malware that poses as a Google app to steal messages from victims.

The malware, dubbed MisoSMS, is being distributed through SMS phishing, which sees users tempted to click on a link that takes them to the app in a non-Google store. The app is presented to victims as an Android settings app that upon installation appears as 'Google Vx' — an app clearly not from Google that will siphon off the victim's SMS and email to servers hosted in China.

Researchers at security firm FireEye who discovered the malware claim it's been used in at least 64 spy campaigns targeted mainly at users in South Korea.

Once Google Vx is installed, the app ask for administrative permissions on the device and uses that to conceal itself while it establishes a connection to the attacker's botnet infrastructure, which relies on hundreds of web-based email accounts to communicate with the app.

2013-12-19 12.16.24 pm
Fake Google Android software, 'Google Vx'. Image: FireEye

The setup allows the app to forward the content of SMS messages and the sender's number to the attacker's email accounts as soon as the text messages are received. As the app uses webmail rather than SMS to pass on the details, it will check when the device has an internet connection and will even backs up failed forwarded messages to be resent again later.  

It's far from the first Android malware designed to steal SMS and not the first Android botnet to be seen. However, researchers note MisoSMS' use of webmail accounts is an interesting new element used in a number of recent attacks on Android users in South Korea.

"Some SMS-stealing malware sends the contents of users SMS messages by forwarding the messages over SMS to phone numbers under the attacker's control. Others send the stolen SMS messages to a (command and control) server over TCP connections. This malicious app, by contrast, sends the stolen SMS messages to the attacker’s email address over an SMTP connection," FireEye's researchers wrote, pointing to malware that used similar techniques discovered earlier this year by Korean security vendor INCA.

In all, the researchers have found 450 email accounts at an unnamed Chinese webmail provider that are being used in the attacks. The accounts have since been disabled.

Typically security experts advise users not to download apps from places other than Google Play, although in some markets, like China, third-party app stores are the norm, and MisoSMS is hosted in one such third-party store. 

A FireEye spokesperson told ZDNet: "Miso follows a new emerging type of mobile threat that is distributed via SMS phishing, rather than traditional email. Why? It had a good chance of being delivered to the recipient unlike email where email hygiene filters gave a high chance of stopping it [...]

"Unlike most SMSishing attacks this one once installed sends intercepted SMS messages back to a number of hardcoded email addresses hosted by a provider in China. We are currently working with Korean law enforcement to ensure they have our research to help them protect consumers in South Korea."

Topics: Security, Android, Mobility

Liam Tung

About Liam Tung

Liam Tung is an Australian business technology journalist living a few too many Swedish miles north of Stockholm for his liking. He gained a bachelors degree in economics and arts (cultural studies) at Sydney's Macquarie University, but hacked (without Norse or malicious code for that matter) his way into a career as an enterprise tech, security and telecommunications journalist with ZDNet Australia. These days Liam is a full time freelance technology journalist who writes for several publications.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

9 comments
Log in or register to join the discussion
  • Hmmmm

    Let me see if I have this right.... You dedicated an entire article to an app that isn't in the Play Store, and thus hasn't been vetted by Google, and is unlikely to be encountered by anyone with an Android phone that isn't in some backwater society where installing some random app that pops up in an SMS message is normal? Geez! I'm 100% sure this article was written just to pray on the fears of the less informed and garner clicks because it's nothing but fluff.
    cj100570@...
    • I don't get it.

      Android folks always bragg about not being stuck in Apple's "Walled Garden". Now you have to stay in the Play Store...isn't it the same?
      rfoto
      • Not at all

        There are other *legit* app stores out there from well known providers such as Amazon that offer choice. Whether or not you decide to sideload an app that comes to you in a text message with a foreign language written above the copyright is another matter.
        MicroNix
      • Seems people are skipping a key point...

        If I read the article correctly, the app asks for admin (root) privileges before it is able to do anything. That means the person would have to have rooted their phone for this app to become effective in its intended purpose. I would think that most people who realize the significance of rooting an android device would also be aware of how not to fall for scams like this as opposed to people who root their device just to do so and not realize the significance of what they are doing.
        TitanV
        • No they're not.

          You may have read the article correctly, but you didn't understand it quite right. The program doesn't ask the user for "root" privileges, but simple to allow the app to be a device administrator. This is a very different concept, and relates to the device admin API that was introduced in Android 2.2. You don't need to have a rooted phone to allow the app this privilege, and many enterprise users would already have granted a similar permission in order to sync to their corporate email, so unless they're paying attention, they might well just click through it.
          pcockerell
  • Wondering

    If anyone wants to trade their Z10 for a Samsung Nexus straight up. Android is beginning to really frighten the dickens out of me. I now do not have any optional apps and do not even use the phone for emails or texting. No web surfing, only .mp3s I have vetted on another system first.
    BrianLevyEsq
    • You forgot...

      the "/sarcasm" at the end of your post :)
      MicroNix
    • you can't "catch" malware on android.. it always relies on user stupidity.

      Many of windows flaws like codered and nimda you could catch without doing a thing.. Android is not like that... They have to actually trick silly users into installing malicious apps. Not the same thing at all. If you download something off a Chinese website you dont know and install it on windows... Guess what? Its probably got malware too!
      frankieh
  • Encrypt everything; Open and scrub all atachments

    Forward attachments with the best compression to save user bandwidth charges.... if and only if they are clean. That is a necessary service. Those without it are Scroogled.
    jnffarrell