An Android botnet found in South Korea that steals text messages may be one of the largest and most advanced mobile malware operations discovered, according to security vendor FireEye.
The botnet, which FireEye called “MisoSMS,” was used in 64 spyware campaigns, stealing text messages from phones in Korea and forwarding them to email accounts accessed by hackers in both China and South Korea.
MisoSMS is embedded in an Android application that purports to be an administrative settings tool, FireEye wrote on its blog. The application calls itself “Google Vx” and asks for administrative permissions that, if granted, allow the malware to hide.
It then collects text messages and sends them by email to the attackers, which is a new technique, FireEye wrote. Some SMS malware applications forward text messages to hackers’ phones via SMS, while others send messages via TCP connections.
More than 450 web email accounts were used to control the malware. “The attackers logged in from Korea and mainland China, among other locations, to periodically read the stolen SMS messages,” FireEye analysts wrote.
The email accounts used in connection with MisoSMS have been deactivated, and the attackers have not since registered any new email addresses. FireEye wrote on its blog it is working with Korean law enforcement and the Chinese web mail provider whose accounts were used by the hackers.