Rare SMS worm targets Android devices

The new Selfmite Android malware spreads by sending text messages with a malicious link to the device owner's contacts

A rare Android worm that propagates itself to other users via links in text messages has been discovered by security researchers.

Once installed on a device, the malware, which was dubbed Selfmite, sends a text messages to 20 contacts from the device owner's address book.

Most malware programs for Android are Trojan apps with no self-propagation mechanisms that get distributed from non-official app stores. Android SMS worms are rare, but Selfmite is the second such threat discovered in the past two months, suggesting that their number might grow in the future.

The text message sent by Selfmite contains the contact's name and reads: "Dear [NAME], Look the Self-time," followed by a goo.gl shortened URL.

The rogue link points to an APK (Android application package) file called TheSelfTimerV1.apk that's hosted on a remote server, researchers from security firm AdaptiveMobile said in a blog post.

If the user agrees to install the APK, an app with the name "The self-timer" will appear in the app list.

In addition to spreading itself to other users, the Selfmite worm tries to convince users to download and install a file called mobogenie_122141003.apk through the local browser.

Mobogenie is a legitimate application that allows users to synchronize their Android devices with their PCs and download apps from an alternative app store. The Mobogenie Market app was downloaded over 50 million times from Google Play, but is also promoted through various paid referral schemes, creating an incentive for attackers to distribute it fraudulently.

"We believe that an unknown registered advertising platform user abused a legal service and decided to increase the number of Mobogenie app installations using malicious software," the AdaptiveMobile researchers said.

The security vendor, which claims that its technology is used by some of the largest mobile operators worldwide, said that it detected dozens of devices infected with Selfmite in North America.

The short goo.gl URL that was used to distribute the malicious APK was visited 2,140 times until Google disabled it. That doesn't mean attackers can't create another URL and launch a new attack campaign.

Giving its current distribution model the threat is likely to only affect users who have configured their devices to allow the installation of apps from "unknown sources" -- sources other than Google Play. Most users don't enable this feature on their phones, but some do because there are legitimate apps that are not distributed through Google Play.

"The impact on the user is not only have they been fooled into installing a worm and other software they may not want; the worm can use up their billing plan by automatically sending messages that they would not be aware of, costing them money," the AdaptiveMobile researchers said. "In addition, by sending spam the worm puts the infected device at danger of being blocked by the mobile operator. More seriously, the URL that the worm points to [in the browser] could be redirected to point to other .apks which may not be as legitimate as the Mobogenie app."

Join the CSO newsletter!

Error: Please check your email address.

Tags AdaptiveMobilesecuritymobile securitymalware

More about Google

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Lucian Constantin

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts