World's largest Android botnet found

By on

And warnings over jailbroken Apple devices.

The largest ever mobile botnet on the Android platform has been spotted by FireEye and is said to be integral to more than 60 spyware campaigns.

FireEye's analysis of the `MisoSMS' botnet says that users' Android devices are being rifled for their text messages, which are then covertly emailed to persons unknown in China.

The security vendor's research team, which consists of Vinay Pidathala, Hitesh Dharmdasani, Jinjian Zhai and Zheng Bu, say that the Android malware disguises itself as a settings app (which is called “Google Vx”) ostensibly used for administrative tasks. When the code/app is executed, it secretly steals users' texts and relays them to a command-and-control (C&C) infrastructure hosted in China - using more than 450 malicious email accounts.

The research team say that the malware has been seen in at least 64 mobile botnet campaigns.

The good news is that FireEye says it has been working with the Internet hosting industry to help take down the C&C infrastructure, whilst all of the malicious email accounts have been deactivated.

When the app runs, it requests admin privileges on the device. When these are granted, it returns a message that the file is `damaged' and requests access to a website with a large `OK' button - which does far more than open a session to the mobile Internet.

FireEye says that the user is then asked to confirm deletion of the damaged file, "offering the option to ‘Confirm' or ‘Cancel'."

"If the user taps ‘Confirm', the app sleeps for 800 milliseconds then displays a message that says `Remove Complete.' If the user taps ‘Cancel', the app still displays the `Remove Complete' message," reads the vendor's analysis.

Text messages - whilst apparently innocuous - are increasingly being used by online banking sessions, Gmail and Google Docs, Microsoft's Windows 8 application store and Office365 platforms as a means of authenticating users.

By intercepting the text messages, if the user's desktop is also infected - perhaps with Zeus or SpyEye - then the online banking session can be completely intercepted, even allowing the hackers to set up new payees, as many banks now use text message authentication as a means of protection, notes.

iPhone users cannot rest on their security laurels either though, according to experts at Marble Security.

The company, whose CTO is David Jevans, the founder of the Anti-Phishing Working Group, has warned on the rising problem of jailbreaking iPhones, which US courts have deemed to be legal, as meaning that the Apple mobile then has no security.

"They can also have backdoors installed on them," explained Jevans

Jevans, who has also held senior positions with vendors such as IronKey and Tumbleweed Communications, says that, after jailbreaking an iPhone, a user may not be able to use it at work because companies use security tools to reject modified phones.

To skirt around those security measures, he warns, users are now installing jammer software to hide the fact that a phone is modified.

“This is a significant risk to the enterprise, especially those allowing bring-your-own-device (BYOD) because experience shows us that even just one compromised device can eventually lead to a massive breach,” said Jevans, adding that jailbreak jammers are evolving at a rapid rate.

This article originally appeared at

Got a news tip for our journalists? Share it with us anonymously here.
Copyright © SC Magazine, UK edition

Most Read Articles

Log In

  |  Forgot your password?