A rare Android worm that propagates itself to other users via links in text messages has been discovered by security researchers.
Once installed on a device, the malware, which was dubbed Selfmite, sends a text messages to 20 contacts from the device owner’s address book.
Most malware programs for Android are Trojan apps with no self-propagation mechanisms that get distributed from non-official app stores. Android SMS worms are rare, but Selfmite is the second such threat discovered in the past two months, suggesting that their number might grow in the future.
The text message sent by Selfmite contains the contact’s name and reads: “Dear [NAME], Look the Self-time,” followed by a goo.gl shortened URL.
The rogue link points to an APK (Android application package) file called TheSelfTimerV1.apk that’s hosted on a remote server, researchers from security firm AdaptiveMobile said in a blog post.
If the user agrees to install the APK, an app with the name “The self-timer” will appear in the app list.
In addition to spreading itself to other users, the Selfmite worm tries to convince users to download and install a file called mobogenie_122141003.apk through the local browser.
Text messaging is bundled into Google’s Hangouts app on some Android phones.
Mobogenie is a legitimate application that allows users to synchronize their Android devices with their PCs and download apps from an alternative app store. The Mobogenie Market app was downloaded over 50 million times from Google Play, but is also promoted through various paid referral schemes, creating an incentive for attackers to distribute it fraudulently.
“We believe that an unknown registered advertising platform user abused a legal service and decided to increase the number of Mobogenie app installations using malicious software,” the AdaptiveMobile researchers said.
The security vendor, which claims that its technology is used by some of the largest mobile operators worldwide, said that it detected dozens of devices infected with Selfmite in North America.
The short goo.gl URL that was used to distribute the malicious APK was visited 2,140 times until Google disabled it. That doesn’t mean attackers can’t create another URL and launch a new attack campaign.
Giving its current distribution model the threat is likely to only affect users who have configured their devices to allow the installation of apps from “unknown sources”—sources other than Google Play. Most users don’t enable this feature on their phones, but some do because there are legitimate apps that are not distributed through Google Play.
“The impact on the user is not only have they been fooled into installing a worm and other software they may not want; the worm can use up their billing plan by automatically sending messages that they would not be aware of, costing them money,” the AdaptiveMobile researchers said. “In addition, by sending spam the worm puts the infected device at danger of being blocked by the mobile operator. More seriously, the URL that the worm points to [in the browser] could be redirected to point to other .apks which may not be as legitimate as the Mobogenie app.”