New Android Trojan making the Asian rounds
Mobile malware tends to make news on a regular basis, most notably targeting Android. As Microsoft has learned with Windows, being the market share leader also means presenting the biggest target.
Russian virus researchers at Dr. Web are releasing new research around the latest volley from cyber-criminals, this one being dubbed "Android.Spy.40.origin". The Trojan is currently only prevalent in the southeast Asian geographic area, specifically in South Korea, where it's spread by means of unwanted SMS messages containing a link to an APK file.
Once the program is executed, Dr. Web explains that "the Trojan connects to a remote server from which it receives further instructions". These instructions include intercepting inbound messages and uploading them to the server (while also hiding them from the user), blocking outbound calls, sending a list of your contacts and apps to the server, removing and installing apps and sending text messages.
"This malicious program can pose a severe threat because it intercepts messages that may contain confidential information, personal and business correspondence, bank account information and mTAN-codes used to verify transactions. In addition, the contacts list acquired by cybercriminals can then be used to send bulks of SMS spam and mount phishing attacks", explains Dr. Web.
None of this sounds particularly alarming perhaps -- few of us are likely to open unsolicited APK files that arrive via text message -- but what makes Android.Spy.40.origin dangerous is its ability to escape detection. The Trojan demonstrates an "ability to exploit an Android vulnerability to avoid detection by anti-viruses", the researchers point out.
"According to the zip [APK] file's format specification, the archive header for each compressed file within it includes the field 'General purpose bit flag'. A zero bit fixed in this field indicates that the files in the archive are encrypted (password protected). In other words, despite the absence of a password, when a bit is set to 1, the file must be treated as encrypted", says the report.
For now, the Trojan has not left the Asian region, but that is always subject to change, and the technology to escape detection can be exploited in other nefarious software in the future.