If you own an Android smartphone, you might want to think twice before clicking on the link in that text message you received recently asking if you’d like to download a free version of “Grand Theft Auto 3” or “Need For Speed: Most Wanted.” Independent reports from two network security firms have discovered a new spam-forwarding botnet known as SpamSoldier that is infecting Android smartphones. And the infection could be spreading fast across the U.S.
In a report released last Sunday, the network security firm Cloudmark identified a number of malicious mobile apps that were infecting Android smartphones after being downloaded from a server based in Hong Kong instead of Google’s (Nasdaq: GOOG) own app store, Google Play.
The apps are delivered through a text message that prompts users to download popular games like “Angry Birds” or “Max Payne 3” for free just by clicking on an embedded link.
Users still have to follow a few more steps to actually download the malicious software, of course. But Android owners not accustomed to reading all the fine print attached to a mobile app may not notice anything out of the ordinary.
“You have to grant permission to the app to do all sorts of things that no Angry Bird should ever need to do, like surfing the Web and sending SMS messages,” Cloudmark said.
Once that permission is granted, however, the virus “gets right to work,” mobile security firm Lookout said in its report this week.
The Trojan app removes its icon, and may even install a version of the game in question to keep the user unaware as it begins to connect to a Command & Control (C&C) server a receive a new spam message along with a list of 100 more U.S. smartphone contacts to spam.
“You better have an unlimited message plan or your phone bill may come as a bit of a shock,” Cloudmark's report continued.
If the Android user installs the app, the icon vanishes from the home screen, then contacts a remote server to receive a list of target numbers so that it can begin dispensing spam messages via the infected phone.
Lookout noted that SpamSoldier is specifically designed to conceal its tracks by hiding or removing any sign of “malicious activity.” The app intercepts any incoming replies to its spammed text message and conceals outgoing messages from the smartphone owner, leaving him or her unaware of their own complicity in the virus’s spread.
“Compared with PC botnets this was an unsophisticated attack,” Cloudmark said. “However, this sort of attack changes the economics of SMS spam, as the spammer no longer has to pay for the messages that are sent if he can use a botnet to cover his costs.”
“Now that we know it can be done, we can expect to see more and more complex attacks that are harder to take down.”
Both reports caution Android users against opening unexpected messages or responding to offers of free versions of apps outside of Google Play.