December 17, 2012

Security Alert: SpamSoldier

Background
On December 3, in cooperation with one of our carrier partners, Lookout identified SpamSoldier, a spammer botnet agent that uses infected phones to send a barrage of SMS spam messages without the user’s consent.

Summary
All Lookout users are protected against this family of malware, and it appears that the distribution remains relatively limited. Even at these limited distribution levels, SpamSoldier still has the potential to make a big impact at a network level: a single prolonged infection could result in thousands of SMS spam messages.

The Details
SpamSoldier is primarily spread through SMS messages that advertise free versions of popular paid games like Need for Speed or Angry Birds Space. Once the user clicks on a link from one of these SMS messages, their phone downloads an application that claims to install the game. By opening that ‘installer’ app, the user is activating the SpamSoldier trojan.

Once it’s opened, SpamSoldier gets right to work, but first it removes its icon from the launcher to cover its tracks. Meanwhile, a free version of the game in question may even be installed to keep users unsuspecting. The app connects to a remote Command & Control (C&C) server to receive its instructions:

  1. The SMS spam message and;
  2. A list of 100 US phone numbers to spam.

It then churns through that list as fast as the device allows. Once it’s exhausted its list of phone numbers, it calls home to get a new list of 100 numbers – rinse and repeat – until the C&C either doesn’t respond, or the application is closed.

SpamSoldier also attempts to hide any evidence of malicious activity: the user won’t be able to see outgoing messages, and the app also attempts to intercept any incoming SMS replies so that the user remains blissfully unaware of any problems.

Estimated Impact
It appears that the distribution of this malware is limited. Overall detections remain low but we’ve observed instances on all major US carriers. The potential impact to mobile networks may be significant if the threat goes undetected for a long period of time. The primary negative impact appears to be the large amount of SMS messages sent and the potential this has to result in charges to the user and/or a slowdown of the carrier’s network.

The sole infection vector appears to be spam SMS messages; we have not yet detected SpamSoldier on any major app stores.

Technical Details
Consistent with CloudMark’s analysis, we’ve seen a number of different spam campaigns active. Examples include:

  • “You’ve just won a $1000 Target gift card but only the 1st 1000 people that enter code 7777 at hxxp://holyoffers.com can claim it!”
  • “Download Grand Theft Auto 3 & Need for Speed Most Wanted for Android phones for free at hxxp://trendingoffers.com for next 24hrs only!”

How to Stay Safe
Lookout Free and Premium users are automatically protected. Here are two tips to keep your phone safe from malware:

  • Only download apps from reputable app stores and check that the developer is credible before downloading.
  • Download a mobile security app for your phone, like Lookout, that scans for malware.

Looking for more information on mobile threats like SpamSoldier? Check out Lookout’s Top Threats resource.

Leave a comment