Kaspersky Labs first announced its detection of what appeared to be the first of several SMS Trojans on Google’s Android operating system on August 9th. The application released in Russian markets outside of Google’s Android Market, was disguised as a media player. Once installed, the code would send 3 premium SMS messages, effectively transferring the US equivalent of ~$18 from the user to the recipient company.
On Wednesday, Kaspersky Labs expert Denis Maslennikov revealed a new Trojan very similar to the first. Again targeting Russian users, this app is disguised as a pornographic media player. What is interesting is not the recurrence of the premium SMS dialing (sending an SMS to a pay service, such as donation codes for the Red Cross, or ringtone services advertised on Television ), but the method in which installing the app is brought to users attention.
The authors of this particular trojan use a tactic known as search engine poisoning to spread the malware. That is, they crafted Websites specifically to appear near the top of search results for certain search queries. By placing malicious websites at the top of search results, mobile users who are by nature looking for fast easy results are more likely to click through without due diligence of ensuring the top hits are safe. This has been a common theme of PC-based malware and is now a lucrative trend in the mobile domain for an increasingly popular platform.
When the trojan is installed, it’ll ask you to access Android’s messaging system. If you deny it, the malicious portion of the code will not be allowed to function. It’s a lesson in both trusting your application sources, and paying attention to mandatory security prompts for sure.
Remember that once you have given permission to an application, it rarely if ever will need to request permission again. The simple media browser in this case can wantonly send SMS messages whenever it is active, and you will be none the wiser, till you see the bill.