Security Experts:

Criminals Test Android-based SMS Botnet with Moderate Success

Anti-Spam vendor Cloudmark recently spotted something new in the world of mobile threats: an Android-based SMS botnet. While the company describes the effort and overall operation of the botnet as primitive, the concern is that this is only the beginning.

Mobile botnets have always been a concern, especially given the explosion of mobile consumption in the U.S. alone. Everyone, from ages 12-60 it seems, has a mobile device somewhere, and for the most part if it isn’t Apple, it’s Android. Given that many of the Android devices on the market have a wide range of installation versions, the attack surface is wide – leading to speculation as far back as 2010 that mobile botnets were coming.

Android SMS BotnetNow it appears they have. Again, Cloudmark calls this recent discovery primitive, but it still managed to appear on 800 phones in the U.S. alone, and earlier this month was blasting some 500,000 SMS messages a day. The victims have no idea their phone is infected, even though the process of installing the malware included granting explicit permission to the criminals.

It started with a spammed SMS message inviting the user to install a popular software title from a 3rd party market, which in reality is mistake number one. From there, the victim is prompted to grant a number of unneeded permissions, including full Web access and the ability to send SMS messages.

“In the case of this latest batch of SMS sending malware that the Cloudmark Research team has been monitoring, your phone will be used to silently send out thousands of spam SMS messages without your permission to lists of victim phone numbers that the malware automatically downloads from a command and control server,” the company explained in a blog post.

The campaign started by offering victims a way to avoid SMS spam, something a bit ironic. Then it progressed by blasting SMS links to games, and then moved on to SMS blasts informing people that they’ve won a gift card. In each example, the victim was presented with an application, and in each case the victim installed it to their phone and granted full permissions.

“Compared with PC botnets this was an unsophisticated attack. However, this sort of attack changes the economics of SMS spam, as the spammer no longer has to pay for the messages that are sent if he can use a botnet to cover his costs. Now that we know it can be done, we can expect to see more complex attacks that are harder to take down.”

Steve Ragan is a security reporter and contributor for SecurityWeek. Prior to joining the journalism world in 2005, he spent 15 years as a freelance IT contractor focused on endpoint security and security training.