Smartphones are becoming cybercriminals’ favorite malware vector. Last week, TrendLabs^SM reported the first ever Android Trojan (detected as TROJ_DROIDSMS.A) found in the wild. Though it failed to perform its intended routine, the attack showed that cybercriminals are always on the lookout for new means to distribute malware.

Recently, Trend Micro threats analysts Edgardo Diaz and Alvin Jethro Bacani came across a possibly malicious Android app known as Tap Snake (detected as TSPY_DROISNAKE.A) that is circulating in the Android market. The said app has the ability to send a user’s GPS location via HTTP POST (gpsdatapoints.appspot.com/addpoint) the moment the user accepts the app’s end-user license agreement (EULA).

Even worse, the app cannot be terminated to prevent it from sending out user data. The user is thus left with only two options—to uninstall the app or to stop the SnakeService. A remote user can use another Android app known as GPS SPY to monitor a Tap Snake user’s location as long as the said app is installed on the user’s device.

To stop SnakeService, users can do the following:

1. Go to Settings > Applications > Running Service.
2. Look for SnakeService and select Stop.

Threats analyst Mark Balanza advises users to first check out what kinds of permission an app asks for before installing it. In this case, Tap Snake does not require GPS data yet asks for permission related to it in its EULA. This should thus prompt users to be wary of installing the app.

Analysis and screenshots provided by threats analysts Edgardo Diaz and Alvin Jethro Bacani. Information on the malicious routines of the said application was previously reported here.

Update as of August 22, 2010, 7:00 p.m. (UTC)

TSPY_DROISNAKE.A has been renamed to ANDROIDOS_DROISNAKE.A.

Trend Micro researchers were alerted to the discovery of the first SMS Trojan running on Google’s Android OS smartphones.

Upon investigation, the malware disguises itself by using the Windows Media Player icon. It also attempts to send text messages to numbers such as 3353 or 3354 with the message string, 798657 via the current default Short Message Service Center (SMSC). In addition, it uses the Permissions function (android.permission.SEND_SMS) to allow the said app to send messages. This routine is similar to the Symbian malware we blogged about that also posed as an application and sent text messages to specific numbers.

According to advanced threats researcher Ivan Macalintal, the payload of this attack is not new since in the past, we’ve seen mobile threats that perform the same fraudulent routines. “This income-generating scheme is a low-hanging fruit for cybercriminals. What makes it unique is the use of Android as the targeted platform and, with the increasing popularity and usage of Android, we can expect more malicious code served up in that alley.”

Trend Micro products detect this as TROJ_DROIDSMS.A.

Analysis and screenshots provided by threats analysts Mark Balanza and Alvin Jethro Bacani, and threat response engineer Jessa De La Torre.

Update as of August 12, 2010, 10:15 PM (UTC)

Upon further investigation, threats analyst Edgardo Diaz confirmed that the malware code did not work properly due to programming errors that caused exceptions. In effect, the malware failed to do its intended routine which is to send SMS to premium rate numbers.

Update as of August 22, 2010, 7:00 p.m. (UTC)

TROJ_DROIDSMS.A has been renamed to ANDROIDOS_DROIDSMS.A.

Trend Micro threat analysts were alerted to the discovery of several compromised websites inserted with a JavaScript. The JavaScript is detected by Trend Micro as JS_AGENT.AOEQ. When executed, JS_AGENT.AOEQ uses a defer attribute, which enables it to delay executing its routine, that is, redirecting the user to several malicious websites. This is done so users will not suspect that they are being infected already. In addition, this malicious JS is hosted on PHP servers. If a user visits an infected website, it will display a white screen. On the other hand, viewing the source code will yield the following obfuscated code:

Upon analysis, it was observed that the code (found on most infected sites) begins with /*GNUGPL*/try{window.onload=function(){var or /*CODE1*/ try{window.onload = function(){va.

According to the Unmask Parasites blog, the cybercriminals behind this attack incorporated certain legitimate sites’ names such as Google, Bing, and WordPress, among others, in their code to appear as a legitimate URL.

Trend Micro Smart Protection Network secures users from this attack by blocking all related malicious domains to prevent user access and, consequently, malware infection. It is, however, advisable for users to keep their systems up-to-date and for Web administrators to change their FTP credentials.

Erratum: The compromised websites are running on PHP servers.

Update as of January 5, 2010, 1:00 PM PST

According to security specialist, Noriaki Hayashi, since the redirections are controlled by the owners of the malicious Web servers, the final payload of the whole infection routine is that users are infected with either a FAKEAV variant (detected by Trend Micro as TROJ_FAKEAV.SMF) or a BREDOLAB variant (detected as TROJ_BREDLAB.SME).

Old trends never die, they just resurface from time to time. Case in point, spammed messages that have .MP3 file attachments, which were last seen two years ago, made their presence felt once again today.

Trend Micro researchers were alerted to the discovery of spammed messages that bore no subject and body content. The email messages only contained an .MP3 file that when executed, a voice advertising Viagra and other sexual enhancement pills is heard. The said “voice” also entices users to visit a certain URL, which points to the all-too-familiar Canadian pharmacy sites.

In the past, Trend Micro has blogged about how cybercriminals utilized .MP3 files or files that purport as such to proliferate their malicious activities in the following posts:

• Storm Pump-and-Dump: The Musical
• Music Unleashes the Malware Beast

Users are strongly advised not to open and execute attached files from unknowing users. Trend Micro secures users from this attack via the Smart Protection Network, which blocks the said spammed messages.

As the holidays kicks off, people are definitely going to be busy searching for the perfect gifts (with the greatest discounts) for their loved ones. However, the increase in number of shoppers during the holidays will most definitely be paralleled by the increase in cybercriminal attacks.

In the past, Trend Micro has blogged about how cybercriminals used Google Trends and rigged search results pertaining to popular searches. This season, cybercriminals will probably use the same tactic based on popular product searches. Some of the top searches in Google yield Wii, iPod, xbox, xbox 360, and iPod Touch. The said results also disclosed that gaming consoles and computer games are on the top of the list (specifically for the United States). No surprises there, really, as this industry is continuously booming.

Moreover, new games are set to be released in time for the holidays. The release of Grand Theft Auto IV last year spurred a spam campaign. Clearly, cybercriminals are always on the lookout for opportunities to infect users.

With that, Trend Micro advises users to be wary when purchasing online gifts and products. Make sure to visit only legitimate websites. Lastly, it is recommended that you install an antivirus product like Trend Micro Smart Protection Network™ that actively blocks malicious URLs to prevent accessing malicious sites and eventually getting infected.