Russian SMS Trojan for Android hits US, dozens of other countries

Android malware that sends text messages to premium-rate numbers expanded globally over the past year, researchers warn

An Android Trojan app that sends SMS messages to premium-rate numbers has expanded globally over the past year, racking up bills for users in over 60 countries including the U.S., malware researchers from Kaspersky Lab said.

The malware program, which Kaspersky products detect as Trojan-SMS.AndroidOS.FakeInst.ef, dates back to February 2013 and was originally designed to operate in Russia.

The Trojan disguises itself as an application for watching porn videos, but once installed on a device it downloads an encrypted configuration file and starts sending SMS messages to predefined premium-rate numbers, depending on the user's mobile country code.

For example, when the malware encounters mobile country codes -- special codes used by carriers to identify mobile networks in different countries -- in the range of 311 to 316, which correspond to the U.S., the malware sends three messages that cost $2 each to 97605, the Kaspersky researchers said in a blog post Wednesday.

The malware can also intercept incoming messages and can receive commands from command-and-control servers to send specific text messages to particular phone numbers.

The Kaspersky researchers have identified 14 different versions of Trojan-SMS.AndroidOS.FakeInst.ef and determined that the malware has spread to 66 countries.

"This particular program was the first SMS Trojan to reach users in the U.S.," said Roman Unuchek, senior malware analyst at Kaspersky Lab via email.

According to the antivirus vendor's statistics, the number of Trojan-SMS.AndroidOS.FakeInst.ef victims in the U.S. is still low, with the largest number of infections being recorded in Russia and Canada.

Cybercriminals have used premium-rate SMS Trojans for years to steal money from Android users in China, Russia and other countries where the use of non-official app stores is common. However, Trojan-SMS.AndroidOS.FakeInst.ef and another widespread Trojan called Trojan-SMS.AndroidOS.Stealer.a, which has support for 14 countries, suggest a global escalation for this type of threat.

"It appears that the cybercriminals have built up sufficient resources to expand their illegal business on a global scale," Unuchek said.

The Kaspersky researchers did not clarify how the rogue apps that carry this Trojan are being distributed. The apps are not likely downloaded from Google Play, because Google has gotten much better at policing its app store in recent years. So Android users are probably affected after specifically configuring their phones to allow the installation of apps from "unknown sources."

Many users might have that setting enabled because it's needed to install some legitimate applications that can't be distributed through Google Play for policy reasons -- for example some online poker clients. In addition, attackers could also use social engineering techniques to trick users into enabling support for unknown app sources.

Join the CSO newsletter!

Error: Please check your email address.

Tags Googlesecuritymobile securityspywaremalwarekaspersky labfraud

More about GoogleKasperskyKaspersky

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Lucian Constantin

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts