A Trojan that infects Android devices is behind an increase in text message spam in the US.
SpamSoldier infects smartphones and spews out thousands of SMS messages without the user's permission. The mobile irritant is primarily spreading through texts that offer free versions of popular paid-for games such as Need for Speed: Most Wanted and Angry Birds Space.
Marks are encouraged to click on a web link in a message that supposedly leads to a game installer. In reality users who open the "installer app" only succeed in infecting their handset with the SpamSoldier Trojan.
Once in place, SpamSoldier gets to work sending more booby-trapped messages, spreading itself further in the process. In some cases a free version of a mobile game may even be installed to distract the user and cover up the fact the smartphone has become a spam-spewing bot.
The software nasty is spreading in the US, according to mobile anti-spam specialist Cloudmark.
"Once infected, a user's phone will be used to silently send out thousands of spam SMS messages without permission to lists of victim phone numbers that the malware automatically downloads from a command-and-control server," according to Cloudmark researcher Andrew Conway. "We've seen a peak rate so far of over half a million SMS messages per day."
"This sort of attack changes the economics of SMS spam, as the spammer no longer has to pay for messages that are sent if he can use a botnet to control devices and cover his costs," it added.
The Trojan is distributed from, largely, .mobi sites on a server in Hong Kong. The scammer behind the app first latched onto the idea in late October, brazenly punting the Trojan as an anti-SMS spam utility before switching to mobile gaming last month, a ploy that's proved much more successful. Over the last three weeks or so the unidentified crook behind the scam has started earning cash from his mobile botnet.
"On 28 November the spammer decided to start monetizing," Conway explained in a blog post on the SpamSoldier threat. "The free game messages continued, but there were also free gift card scam messages mixed in."
The bogus gift card messages state:
You have just won a $1000 Target Gift Card but only the 1st 777 people that enter code 777 at http://[redacted].com can claim it!
"Of course, there are not really any free gift cards, this is just a trick to collect your personal information for affiliate programmes and sometimes identity theft," Conway warned.
Cloudmark described the threat as the "first functioning Android botnet sending SMS spam" although it notes that several PC botnets capable of sending spam via email to text message gateways have occasionally cropped up in the past. Mobile malware that sends SMS messages to premium numbers from compromised smartphones is far more commonplace.
An advisory by phone security firm Lookout confirmed that SpamSoldier is targeting US mobile users; the list of targeted numbers downloaded from the botnet typically contains 100 US numbers at a time. It added that the distribution of the malware remains "relatively limited".
"Even at these limited distribution levels, SpamSoldier still has the potential to make a big impact at a network level: a single prolonged infection could result in thousands of SMS spam messages," writes Lookout researcher Derek Halliday.
"Overall detections remain low but we’ve observed instances on all major US carriers. The potential impact to mobile networks may be significant if the threat goes undetected for a long period of time. The primary negative impact appears to be the large amount of SMS messages sent and the potential this has to result in charges to the user and/or a slowdown of the carrier’s network."
Halliday added: "The sole infection vector appears to be spam SMS messages; we have not yet detected SpamSoldier on any major app stores." ®