Trend Micro researchers were alerted to the discovery of the first SMS Trojan running on Google’s Android OS smartphones.
Upon investigation, the malware disguises itself by using the Windows Media Player icon. It also attempts to send text messages to numbers such as 3353 or 3354 with the message string, 798657 via the current default Short Message Service Center (SMSC). In addition, it uses the Permissions function (android.permission.SEND_SMS) to allow the said app to send messages. This routine is similar to the Symbian malware we blogged about that also posed as an application and sent text messages to specific numbers.
According to advanced threats researcher Ivan Macalintal, the payload of this attack is not new since in the past, we’ve seen mobile threats that perform the same fraudulent routines. “This income-generating scheme is a low-hanging fruit for cybercriminals. What makes it unique is the use of Android as the targeted platform and, with the increasing popularity and usage of Android, we can expect more malicious code served up in that alley.”
Trend Micro products detect this as TROJ_DROIDSMS.A.
Analysis and screenshots provided by threats analysts Mark Balanza and Alvin Jethro Bacani, and threat response engineer Jessa De La Torre.
Update as of August 12, 2010, 10:15 PM (UTC)
Upon further investigation, threats analyst Edgardo Diaz confirmed that the malware code did not work properly due to programming errors that caused exceptions. In effect, the malware failed to do its intended routine which is to send SMS to premium rate numbers.
Update as of August 22, 2010, 7:00 p.m. (UTC)
TROJ_DROIDSMS.A has been renamed to ANDROIDOS_DROIDSMS.A.