Selfmite SMS Worm Attacks Android Devices
Security researchers have discovered an worm that propagates itself to other users via links in text messages and once installed, sends a text messages to 20 contacts from the device owner's address book.
According to security firm AdaptiveMobile, the worm, dubbed "Selfmite," is able to propagate via SMS. Potential victims receive the following SMS message containing a URL pointing to the Selfmite worm:
Dear [NAME], Look the Self-time, http://goo.gl/******
If the user clicks on the goo.gl shortened link he will be redirected to http://173.244.***.***/TheSelfTimerV1.apk and offered to download and install this APK file. If the user performs these actions then a malware icon with 'The self-timer' name appears in the smartphone's menu. And if victim launches it, the malware will immediately read device's contact book for a name + phone pair and send 1 message to 20 different contacts using the name as a greeting.
In addition to spreading itself to other users, the Selfmite worm tries to convince users to download and install a file called mobogenie_122141003.apk through the local browser.
Mobogenie is a legitimate application that allows users to synchronize their Android devices with their PCs and download apps from an alternative app store.
The security vendor said that it detected dozens of devices infected with Selfmite in North America.
The short goo.gl URL that was used to distribute the malicious APK was visited 2,140 times until Google disabled it. That doesn't mean attackers can't create another URL and launch a new attack campaign.
"The impact on the user is not only have they been fooled into installing a worm and other software they may not want; the worm can use up their billing plan by automatically sending messages that they would not be aware of, costing them money," the AdaptiveMobile researchers said. "In addition, by sending spam the worm puts the infected device at danger of being blocked by the mobile operator. More seriously, the URL that the worm points to [in the browser] could be redirected to point to other .apks which may not be as legitimate as the Mobogenie app."
Dear [NAME], Look the Self-time, http://goo.gl/******
If the user clicks on the goo.gl shortened link he will be redirected to http://173.244.***.***/TheSelfTimerV1.apk and offered to download and install this APK file. If the user performs these actions then a malware icon with 'The self-timer' name appears in the smartphone's menu. And if victim launches it, the malware will immediately read device's contact book for a name + phone pair and send 1 message to 20 different contacts using the name as a greeting.
In addition to spreading itself to other users, the Selfmite worm tries to convince users to download and install a file called mobogenie_122141003.apk through the local browser.
Mobogenie is a legitimate application that allows users to synchronize their Android devices with their PCs and download apps from an alternative app store.
The security vendor said that it detected dozens of devices infected with Selfmite in North America.
The short goo.gl URL that was used to distribute the malicious APK was visited 2,140 times until Google disabled it. That doesn't mean attackers can't create another URL and launch a new attack campaign.
"The impact on the user is not only have they been fooled into installing a worm and other software they may not want; the worm can use up their billing plan by automatically sending messages that they would not be aware of, costing them money," the AdaptiveMobile researchers said. "In addition, by sending spam the worm puts the infected device at danger of being blocked by the mobile operator. More seriously, the URL that the worm points to [in the browser] could be redirected to point to other .apks which may not be as legitimate as the Mobogenie app."
