Android SMS botnet found on mobile networks

Spammers have amassed the first-known Android botnet, consisting of compromised devices pumping spam over all major US mobile networks.

The botnet spread via a malicious game application that contains the SpamSoldier trojan. Infected devices then communicate with a command-and-control server, receiving instructions to send SMS messages to more than 100 phone numbers.

After texting those numbers, infected phones get a new list of targets within a minute. The malware also blocks incoming and outgoing texts from unknown numbers, in case users or mobile service providers try to alert victims of their spamming.

Cloudmark researcher Andrew Conway told SC the botnet “changed the economics” of spamming campaigns.

“The typical SMS spamming technique is that a spammer will go to the grocery store, buy some prepaid SIM [subscriber identity module] cards and [use] them to send out spam messages,” Conway said.

“We think the spammers are getting less and less value for money out of that approach as the industry catches on to that.”

In the SpamSoldier campaign, the fraudsters make their victims shoulder the cost of spamming, Conway said.

While he described the botnet as “primitive” compared to those that fester among infected endpoints in the traditional PC environment, the tactic may demonstrate a future model to be taken up by attackers.

Cloudmark detected more than 800 phone numbers sending out the spam, and they believe the total number of infected devices is around 1000.

Lookout senior product manager Derek Halliday confirmed occurrences of the malware remained low, but said the impact could be greater if left undetected by users or carriers.

“The primary negative impact appears to be the large amount of SMS messages sent and the potential this has to result in charges to the user and/or a slowdown of the carrier's network," Halliday said.

"Depending on your carrier, the standard procedure is to block all text messages from your phone if you are sending out spam messages."

Google declined to comment.

Back in July, conflicting reports about the existence of a spam botnet on Android devices surfaced, but Google quickly denied those claims, and it was eventually determined that the spammers were using infected computers and a fake mobile signature to abuse a Yahoo Mail app for Android devices. 

This article originally appeared at scmagazineus.com