Selfmite on STEROIDS: Pumped-up SMS worm is BACK...

Geo-aware nasty spaffs dodgy gear all over your mobe

4 Reg comments Got Tips?

The SMS worm Selfmite is back: bigger, badder and now global.

The worm, which first surfaced in June and affects Android smartphones and tablets, has spawned a new version.

Selfmite-B infects many more users, uses several money-making techniques and is generally more dangerous and difficult to stop, warns mobile security firm AdaptiveMobile.

AdaptiveMobile has tracked more than 150,000 messages sent over the past 10 days from over 100 compromised devices found in 16 countries. The latest version of the worm has generated 100 times more traffic than its older sibling, Selfmite-A.

AdaptiveMobile has tracked Selfmite-B in Canada, China, Costa Rica, Ghana, India, Iraq, Jamaica, Mexico, Morocco, Puerto Rico, Russia, Sudan, Syria, USA, Venezuela, and Vietnam.

“This is Selfmite returning on steroids,” said Denis Maslennikov, the security analyst at AdaptiveMobile who discovered the latest version of the worm. “It’s more aggressive self-propagating capabilities means more victims. In addition, it uses multiple links to engage with users, increasing its monetization potential. This additional level of complexity makes Selfmite-B a real concern for both mobile carriers and users.”

Users get infected if they download and install malicious APK files from URLs contained in text messages spammed out by already compromised devices. Once installed, Selfmite-B sends messages to all of contacts in a user’s phone in a loop, which means that potential victims will continue to receive messages until the mobile carrier detects and blocks these messages or the owner deletes the malware.

The cybercrooks behind the scam have come up with multiple ways to make money, mostly through dodgy affiliate programs. Users are either directed to an application in Google Play after clicking on the installed worm icon, or they click on icons that Selfmite-B has placed on their desktops and are therefore redirected to unsolicited subscription websites. The worm also varies content according to IP addresses, so that users in different countries will be redirected to different websites.

The URLs most immediately associated with the spread of the worm have been consigned into oblivion but this does not necessarily mean that the current outbreak is wholly contained.

"We notified Go Daddy about the malicious URLs and at the moment both shortened URLs have been deactivated," AdaptiveMobile explains. "But the fact that the author(s) of the worm can change it remotely using a configuration file makes it harder to stop the whole infection process."

A blog post by Adaptive Mobile - including screenshots a code snippets - gives a more in-depth look at the malware and the scams it is punting. ®


Biting the hand that feeds IT © 1998–2020