Android botnet abuses people's phones for SMS spam

Security vendor Cloudmark says it is the first time they've detected a botnet that abuses other people's phones to send spam

In a new twist, spammers have built a botnet that sends SMS spam through infected Android phones, shifting the potentially pricey cost of sending spam to victims.

The trend, spotted by security vendor Cloudmark, poses a new challenge for operators. Victims whose phones are sending the SMS spam often do not know their phone is infected, and they could have their account suddenly shut down by their operator if abuse is detected.

"I think they [operators] are still working out how to deal with this," said Andrew Conway, lead software engineer with Cloudmark, which makes antispam products for operators. "This is fairly new."

Cloudmark noticed that a server located in Hong Kong was hosting two Android games, "Angry Birds Star Wars" and "The Need for Speed Most Wanted," for the Android mobile operating system. Both games are actually just malware that connects the phones with rogue servers that deliver instructions for a mobile spam campaign.

When connected to the rogue command-and-control servers, the victim's phone receives a list of around 50 phone numbers along with the spammy text, Conway said. The malware on the Android device will wait a little more than one second after sending a message, then will eventually check in with the rogue server to obtain more numbers. If the phone is shut off and turned on again, the malware reboots and installs itself as a service on the phone, Cloudmark said.

In one example, the spam messages contained links to the malicious applications in hopes of infecting other users. In another example, the spam message falsely informed people they had won a gift card. But in order for the gift card to be delivered, the victim is asked to pay a shipping cost of US$5.95. Conway said the scammers then collect a victim's personal details for further affiliate marketing campaigns, as well as a credit card number.

Spam via SMS (short message service) is nothing new. In the past, spammers bought SIM cards in bulk and inserted them into a SIM card bank to start a spam campaign. As the spammy numbers are shut down by operators, the SIM cards are swapped out with fresh ones.

But with that method, the spammers incurred the cost of buying SIM cards. They also had to be in the same country as victims in order to avoid international SMS sending charges.

The latest method neatly avoids both of those costs. Conway said using malware allows the scammers to conduct campaigns from anywhere in the world at no extra cost. The people whose phones are infected will incur the costs of sending the SMS messages, which could be expensive for some people with monthly SMS limits, Conway said.

"We may see not only does this cost less for the spammers, but if they can spread their spam over a larger and larger number of phone numbers...then it makes it harder to block this on an individual phone number basis," Conway said.

Victims also face an additional problem if an operator decides to shut down their phone due to spamming. The malware also blocks incoming SMS messages, so if a recipient of a spammy SMS complains and sends a text message in response, the victim will still not know their device is being abused, Conway said.

The spammers appear to still be testing the method, but spam volumes are rising, Conway said. The recipients of the spam are so far just in the U.S. It appears that around 800 phones are infected with the malware. As recently as two weeks ago, the botnet was sending upwards of 500,000 messages per day.

Conway described the botnet as "primitive" and not at the level of sophistication of botnets that abuse desktop computers. But it does herald a new level of innovation among mobile spammers.

The best advice for Android users is to avoid downloading applications from untrusted sources. Google scans applications in its Play store for malicious behavior, but unvetted Android applications are widely available around the Internet. Conway said he believes the campaign is geared toward exploiting younger Android users.

"The younger you are, the more likely you are to engage in risky behavior with your mobile phone," Conway said.

Recipients of spam can forward a suspicious message to "7726," a short code for the GSMA's Spam Reporting Service, which is run by Cloudmark. The company analyzes the messages. Depending on how the operator wants to handle it, spam messages can be blocked or the malicious link within the message can be removed, Conway said.

Send news tips and comments to jeremy_kirk@idg.com. Follow me on Twitter: @jeremy_kirk

Join the CSO newsletter!

Error: Please check your email address.

Tags Android OSsecurityCloudmarkmalware

More about Andrew Corporation (Australia)CloudmarkGoogleSpeed

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Jeremy Kirk

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts

Market Place