Security Experts:

Connect with us

Hi, what are you looking for?


Mobile & Wireless

Android Malware Spreads Via IRS Spam Campaign

Researchers at Dell SecureWorks say a multi-function piece of Android malware is spreading through a spam campaign that uses this year’s tax season as part of a lure. 

Researchers at Dell SecureWorks say a multi-function piece of Android malware is spreading through a spam campaign that uses this year’s tax season as part of a lure. 

Known as Stels, the trojan was spotted by Dell SecureWorks Counter Threat Unit (CTU) research term being spread by the same spam campaigns blasted out by the Cutwail botnet. Once on a device, the malware is capable of stealing a victim’s contact list, sending and intercepting text messages, making phone calls and installing more malware. 

According to SecureWorks, the spam campaigns attempt to trick users into clicking links that redirect users to the Blackhole exploit kit. Since the Blackhole kit is unable to exploit Android devices, the attackers are using a fake Adobe Flash Player update to trick victims into downloading and executing the Stels trojan.

“The CTU research team has observed a shift away from Android malware being distributed through alternative marketplaces (i.e., outside of the official Google Play app store),” blogged Brett Stone-Gross, senior security researcher at CTU. “In particular, attackers have been orchestrating spam campaigns to distribute Android malware such as the NotCompatible and Stels trojans. Stels uses lures such as fake email messages from the U.S. Internal Revenue Service (IRS) and recommendations from a “friend.”

The lure comes as tax season is in full swing, with the filing deadline for individual tax returns coming up on April 15. The URL in the email links to a compromised website that “fingerprints” the victim’s web browser and operating system using a PHP script uploaded by the attackers, the researcher noted. If the device is running Android, the hacked site shows a fake Adobe Flash Player update page. When the victim clicks on the Flash Player link, the device downloads the Stels APK executable and prompts the victim to install malware. Because the app does not originate from the official Google Play app store, a user has to enable the ‘Unknown Sources’ option in security settings.

“After Stels has been installed, it places a Flash icon in the apps menu with the name APPNAME,” Stone-Gross blogged. “Upon launch, the Stels trojan displays a fake error message: “Your Android version does not support this update! Setup is canceled” and deletes the Flash icon from the apps menu.”

If the victim is using a Microsoft Internet Explorer, Opera or Mozilla Firefox Web browser, the PHP script displays a fake IRS website, according to CTU. In addition, the attackers altered the URLs on the fake IRS website to link to a malicious PDF file targeting CVE-2010-0188. If the victim’s is not using Android or any of the browsers mentioned above, the PHP script on the compromised site redirects the web browser to a work from home affiliate scam.

In response to the threat, Stone-Gross suggested users avoid installing apps that are not distributed through Google Play, and pay attention to permission requests.

“The distribution of the Stels Trojan through a spam campaign is unusual for Android malware, which is typically distributed through third-party marketplaces outside of the Google Play app store,” he blogged. “Stels appears to leverage an existing Android crimeware kit to steal sensitive information from a device and can be monetized by sending SMS messages and making phone calls to premium phone numbers. In addition, Stels may be used in conjunction with traditional banking trojans including Zeus to bypass two-factor authentication systems that rely on mobile TAN numbers (sent via SMS) to complete fraudulent Automated Clearing House (ACH) and wire transfers from victim accounts.”

Written By

Click to comment

Expert Insights

Related Content

Mobile & Wireless

Technical details published for an Arm Mali GPU flaw leading to arbitrary kernel code execution and root on Pixel 6.

Mobile & Wireless

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.

Mobile & Wireless

Apple’s iOS 12.5.7 update patches CVE-2022-42856, an actively exploited vulnerability, in old iPhones and iPads.

Mobile & Wireless

Two vulnerabilities in Samsung’s Galaxy Store that could be exploited to install applications or execute JavaScript code by launching a web page.

Mobile & Wireless

South Dakota Gov. Kristi Noem says her personal cell phone was hacked and linked it to the release of documents by the January 6...


A digital ad fraud scheme dubbed "VastFlux" spoofed over 1,700 apps and peaked at 12 billion ad requests per day before being shut down.

Mobile & Wireless

Infonetics Research has shared excerpts from its Mobile Device Security Client Software market size and forecasts report, which tracks enterprise and consumer security client...

Application Security

Software maker Adobe on Tuesday released security patches for 29 documented vulnerabilities across multiple enterprise-facing products and warned that hackers could exploit these bugs...