Researchers at Dell SecureWorks say a multi-function piece of Android malware is spreading through a spam campaign that uses this year’s tax season as part of a lure.
Known as Stels, the trojan was spotted by Dell SecureWorks Counter Threat Unit (CTU) research term being spread by the same spam campaigns blasted out by the Cutwail botnet. Once on a device, the malware is capable of stealing a victim’s contact list, sending and intercepting text messages, making phone calls and installing more malware.
According to SecureWorks, the spam campaigns attempt to trick users into clicking links that redirect users to the Blackhole exploit kit. Since the Blackhole kit is unable to exploit Android devices, the attackers are using a fake Adobe Flash Player update to trick victims into downloading and executing the Stels trojan.
“The CTU research team has observed a shift away from Android malware being distributed through alternative marketplaces (i.e., outside of the official Google Play app store),” blogged Brett Stone-Gross, senior security researcher at CTU. “In particular, attackers have been orchestrating spam campaigns to distribute Android malware such as the NotCompatible and Stels trojans. Stels uses lures such as fake email messages from the U.S. Internal Revenue Service (IRS) and recommendations from a “friend.”
The lure comes as tax season is in full swing, with the filing deadline for individual tax returns coming up on April 15. The URL in the email links to a compromised website that “fingerprints” the victim’s web browser and operating system using a PHP script uploaded by the attackers, the researcher noted. If the device is running Android, the hacked site shows a fake Adobe Flash Player update page. When the victim clicks on the Flash Player link, the device downloads the Stels APK executable and prompts the victim to install malware. Because the app does not originate from the official Google Play app store, a user has to enable the ‘Unknown Sources’ option in security settings.
“After Stels has been installed, it places a Flash icon in the apps menu with the name APPNAME,” Stone-Gross blogged. “Upon launch, the Stels trojan displays a fake error message: “Your Android version does not support this update! Setup is canceled” and deletes the Flash icon from the apps menu.”
If the victim is using a Microsoft Internet Explorer, Opera or Mozilla Firefox Web browser, the PHP script displays a fake IRS website, according to CTU. In addition, the attackers altered the URLs on the fake IRS website to link to a malicious PDF file targeting CVE-2010-0188. If the victim’s is not using Android or any of the browsers mentioned above, the PHP script on the compromised site redirects the web browser to a work from home affiliate scam.
In response to the threat, Stone-Gross suggested users avoid installing apps that are not distributed through Google Play, and pay attention to permission requests.
“The distribution of the Stels Trojan through a spam campaign is unusual for Android malware, which is typically distributed through third-party marketplaces outside of the Google Play app store,” he blogged. “Stels appears to leverage an existing Android crimeware kit to steal sensitive information from a device and can be monetized by sending SMS messages and making phone calls to premium phone numbers. In addition, Stels may be used in conjunction with traditional banking trojans including Zeus to bypass two-factor authentication systems that rely on mobile TAN numbers (sent via SMS) to complete fraudulent Automated Clearing House (ACH) and wire transfers from victim accounts.”
