A new version of an Android worm called Selfmite has the potential to ramp up huge SMS charges for victims in its attempt to spread to as many devices as possible.
The first version of Selfmite was discovered in June, but its distribution was quickly disrupted by security researchers. The worm—a rare type of malware in the Android ecosystem—spread by sending text messages with links to a malicious APK (Android Package) to the first 20 entries in the address book of every victim.
The new version, found recently and dubbed Selfmite.b, has a similar, but much more aggressive spreading system, according to researchers from security firm AdaptiveMobile. It sends text messages with rogue links to all contacts in a victim’s address book, and does this in a loop.
“According to our data, Selfmite.b is responsible for sending over 150k messages during the past 10 days from a bit more than 100 infected devices,” Denis Maslennikov, a security analyst at AdaptiveMobile said in a blog post Wednesday. “To put this into perspective that is over a hundred times more traffic generated by Selfmite.b compared to Selfmite.a.”
Paying through the nose
At an average of 1,500 text messages sent per infected device, Selfmite.b can be very costly for users whose mobile plans don’t include unlimited SMS messages. Some mobile carriers might detect the abuse and block it, but this might leave the victim unable to send legitimate text messages.
Unlike Selfmite.a, which was found mainly on devices in North America, Selfmite.b has hit victims throughout at least 16 different countries: Canada, China, Costa Rica, Ghana, India, Iraq, Jamaica, Mexico, Morocco, Puerto Rico, Russia, Sudan, Syria, USA, Venezuela and Vietnam.
The first version of the worm used goo.gl shortened URLs in spam messages that pointed to an APK installer for the malware. Those URLs were hardcoded in the app’s code, so once they were disabled by Google, the operator of the goo.gl URL shortening service, Selfmite.a’s distribution stopped.
The worm’s authors took a different approach with the new version. They still use shortened URLs in text messages—this time generated with Go Daddy’s x.co service—but the URLs are specified in a configuration file that the worm downloads periodically from a third-party server.
Remote configuration
“We notified Go Daddy about the malicious x.co URLs and at the moment both shortened URLs have been deactivated,” Maslennikov said. “But the fact that the author(s) of the worm can change it remotely using a configuration file makes it harder to stop the whole infection process.”
The goal of Selfmite is to generate money for its creators through pay-per-install schemes by promoting various apps and services. The old version distributed Mobogenie, a legitimate application that allows users to synchronize their Android devices with their PCs and to download Android apps from an alternative app store.
Selfmite.b creates two icons on the device’s home screen, one to Mobogenie and one to an app called Mobo Market. However, they act as Web links and clicking on them can lead to different apps and online offers depending on the victim’s IP (Internet Protocol) address location.
Fortunately, the worm’s distribution system does not use exploits and relies only on social engineering—users would have to click on the spammed links and then manually install the downloaded APK in order for their devices to be infected. Furthermore, their devices would need to be configured to allow the installation of apps from unknown sources—anything other than Google Play—which is not the default setting in Android. This further limits the attack’s success rate.