X

More malware targeting Android

Google pulls Trojanized Android apps, and researchers warn of malware in alternative Android markets in China and of an Android version of the Zitmo banking Trojan.

Elinor Mills Former Staff Writer
Elinor Mills covers Internet security and privacy. She joined CNET News in 2005 after working as a foreign correspondent for Reuters in Portugal and writing for The Industry Standard, the IDG News Service and the Associated Press.
See full bio
Elinor Mills
2 min read
 
Wireshark capture of Zitmo forwarding an incoming SMS on an infected phone to a remote Web server.
Wireshark capture of Zitmo forwarding an incoming SMS on an infected phone to a remote Web server. Fortinet

Researchers are reporting the discovery of malware targeting Android devices, specifically a new variant of the DroidDream Trojan found in apps that Google removed from the Android Market, as well as malware on alternative app markets in China designed to run up premium SMS bills, and a data-stealing Trojan that targets one-time bank SMS pass codes.

Mobile-security firm Lookout warned of new variants of DroidDream Light that were found in the Android Market and subsequently removed by Google. "Fortunately the malware was available in the Android Market for [only] a short period of time, so the number of downloads was limited to 1,000 to 5,000," Lookout wrote in a blog post Friday.

The four applications, all published by a developer named "Mobnet" are: Quick FallDown; Scientific Calculator; Bubble Buster; and Best Compass and Leveler, which is not to be confused with a legitimate app with the same name but listed as "com.gb.compassleveler" on the package, compared with "com.gb.CompassLeveler," which is used by the malware package, Lookout said.

Similar to the samples of DroidDream found in March and in late May, the samples do not rely on an Android user to manually launch the infected app to start it, according to Lookout. The malware has the capability to change the next connection time and the command-and-control server the Trojan distributor uses to communicate with the malware on the infected device; initiate an app download and create several install-related prompts that direct the victim to download other apps; visit a potentially malicious Web address; and download software that would in turn download an updated version of the malware.

Android users can protect themselves from malicious apps by downloading apps only from trusted sources and developers known by name and rating; checking permission that apps request and using common sense to ensure that permissions match the app features; and being alert for unusual behavior on the phone, such as unknown applicatons being installed, SMS messages being sent to unknown recipients, or phone calls automatically being placed.

Meanwhile, researchers at North Caroline State University warned on Sunday of new Android malware named "HippoSMS" that was found on alternative app markets in China. The malware is designed to incur phone charges by sending SMS messages to a hard-coded premium-rated number, they said in a blog post. The malware also blocks or removes short messages that mobile service providers send to customers to warn them of additional charges.

And security firm Fortinet said in a blog post that a version of the Zitmo (which stands for "ZeuS in the Mobile") banking Trojan has been discovered that targets Android devices. The malware poses as a banking activation application, listens to all incoming SMS messages, and forwards them to a remote Web server. One-time pass codes that banks send to customer phones via SMS messages for two-factor authentication purposes could be grabbed by this malware, Fortinet said.

(via Computerworld and Krebs on Security.)