A new SMS worm dubbed “Selfmite” has been infecting Android devices in a pay-per-install scheme that abuses advertising services, AdaptiveMobile announced last week.
According to the mobile security company, Selfmite is designed to spread via SMS messages that lure recipients to an application called “The Self-Timer” via a shortened Google (goo.gl) link. The URL takes potential victims to a website where they’re instructed to download and install an APK file (TheSelfTimerV1.apk) which creates an icon for “The Self-Timer” app in the infected device’s menu.
Once executed, Selfmite accesses the address book from which it retrieves the top 20 contacts, and sends them each an SMS message urging them to check out the self-timer application, AdaptiveMobile said. After this task is completed, the worm attempts to open a different URL shortened with goo.gl, which redirects victims to an APK file (mobogenie_122141003.apk) for Mobogenie, a legitimate file and apps manager for Android devices.
Mobogenie, which has between 50 million and 100 million downloads on Google Play, is promoted via various ad platforms, one of which is used in this pay-per-install campaign. Once this particular version of the Mobogenie app is installed on an Android smartphone, it accesses a certain URL to confirm the installation and make sure the individuals behind the scheme get paid for their effort.
“[We] believe that an unknown registered advertising platform user abused legal service and decided to increase the number of Mobogenie app installations using malicious software,” AdaptiveMobile’s Denis Maslennikov explained in a blog post.
Mobogenie is aware of such spam campaigns which the company says are a result of a “technical issue” with a promotional partner. The company posted an apology to customers on Google Play months ago claiming to be working on addressing the issue, but apparently the app is still installed on phones through shady methods.
Sophos has also analyzed the worm which the company has dubbed Andr/SlfMite-A. Paul Ducklin, a security evangelist for the company, explained that Selfmite relies on the mutual trust that exists between contacts to spread from one Android phone to the other.
“In theory, a virus like this could spread exponentially, with one victim in Generation One becoming 20 in Generation Two, 400 in Generation Three, and so on, with 20N-1 victims in Generation N,” Ducklin explained in a blog post published on Sunday. “In practice, of course, this never happens: many of the potential victims in each generation will delete the message, or ignore it, or have it blocked by their anti-virus.”
While statistics from Google show that on June 24 there had been 2,140 clicks on the malicious URL and over 210,000 on the Mobogenie redirection, AdaptiveMobile reported that Selfmite infections are not widespread at the moment, most likely due to the fact that the threat has been detected early ̶ security firms and Google have already taken steps to protect users. Users in North America appears to be the most targeted, with dozens of infections detected by the mobile security firm.