Solved

New Android Trojan making the Asian rounds

  • 19 October 2013
  • 4 replies
  • 2 views

Userlevel 7
Badge +54
Mobile malware tends to make news on a regular basis, most notably targeting Android. As Microsoft has learned with Windows, being the market share leader also means presenting the biggest target.

Russian virus researchers at Dr. Web are releasing new research around the latest volley from cyber-criminals, this one being dubbed "Android.Spy.40.origin". The Trojan is currently only prevalent in the southeast Asian geographic area, specifically in South Korea, where it's spread by means of unwanted SMS messages containing a link to an APK file.

Once the program is executed, Dr. Web explains that "the Trojan connects to a remote server from which it receives further instructions". These instructions include intercepting inbound messages and uploading them to the server (while also hiding them from the user), blocking outbound calls, sending a list of your contacts and apps to the server, removing and installing apps and sending text messages.
 
.
.
.
.
For now, the Trojan has not left the Asian region, but that is always subject to change, and the technology to escape detection can be exploited in other nefarious software in the future.
 
Full Story
 
One to watch out for.
icon

Best answer by CameronP 21 October 2013, 18:23

View original

4 replies

Userlevel 4
Thanks for posting this, Jasper!
 
Looks like we have a handful of samples of this threat as well. Nearly all of them are already detected and we were able to create a more reliable definition to better detect this threat and catch the rest.
Userlevel 7
I have a question on this: my own admittedly ancient and outdated 'Droid has the setting to by default block all 3rd party sourced applications from being installed, only downloads directly from Google Play (Market on mine) are allowed unless I manually over ride it.  Does this infection manage to work it's way around this protection setting?
Userlevel 4
No, David, it cannot. That functionality is a fundamental part of the Android OS. Unless the Market is what is asking to install an application, they're assumed to be from an "outside source" and that message will appear.
Userlevel 7
@ wrote:
No, David, it cannot. That functionality is a fundamental part of the Android OS. Unless the Market is what is asking to install an application, they're assumed to be from an "outside source" and that message will appear.
Thanks!  So the SMS spread of it really has a lot to do with users allowing it in regardless of what the OS tells them is safe.  Of course those with Webroot installed wont have to worry so much anyway 🙂

Reply