Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Mobile & Wireless

Android Users Targeted With New SMS Worm

A new SMS worm dubbed “Selfmite” has been infecting Android devices in a pay-per-install scheme that abuses advertising services, AdaptiveMobile announced last week.

A new SMS worm dubbed “Selfmite” has been infecting Android devices in a pay-per-install scheme that abuses advertising services, AdaptiveMobile announced last week.

According to the mobile security company, Selfmite is designed to spread via SMS messages that lure recipients to an application called “The Self-Timer” via a shortened Google (goo.gl) link. The URL takes potential victims to a website where they’re instructed to download and install an APK file (TheSelfTimerV1.apk) which creates an icon for “The Self-Timer” app in the infected device’s menu. 

Android MalwareOnce executed, Selfmite accesses the address book from which it retrieves the top 20 contacts, and sends them each an SMS message urging them to check out the self-timer application, AdaptiveMobile said. After this task is completed, the worm attempts to open a different URL shortened with goo.gl, which redirects victims to an APK file (mobogenie_122141003.apk) for Mobogenie, a legitimate file and apps manager for Android devices.

Mobogenie, which has between 50 million and 100 million downloads on Google Play, is promoted via various ad platforms, one of which is used in this pay-per-install campaign. Once this particular version of the Mobogenie app is installed on an Android smartphone, it accesses a certain URL to confirm the installation and make sure the individuals behind the scheme get paid for their effort.

“[We] believe that an unknown registered advertising platform user abused legal service and decided to increase the number of Mobogenie app installations using malicious software,” AdaptiveMobile’s Denis Maslennikov explained in a blog post.

Mobogenie is aware of such spam campaigns which the company says are a result of a “technical issue” with a promotional partner. The company posted an apology to customers on Google Play months ago claiming to be working on addressing the issue, but apparently the app is still installed on phones through shady methods.

Sophos has also analyzed the worm which the company has dubbed Andr/SlfMite-A. Paul Ducklin, a security evangelist for the company, explained that Selfmite relies on the mutual trust that exists between contacts to spread from one Android phone to the other.

“In theory, a virus like this could spread exponentially, with one victim in Generation One becoming 20 in Generation Two, 400 in Generation Three, and so on, with 20N-1 victims in Generation N,” Ducklin explained in a blog post published on Sunday. “In practice, of course, this never happens: many of the potential victims in each generation will delete the message, or ignore it, or have it blocked by their anti-virus.”

While statistics from Google show that on June 24 there had been 2,140 clicks on the malicious URL and over 210,000 on the Mobogenie redirection, AdaptiveMobile reported that Selfmite infections are not widespread at the moment, most likely due to the fact that the threat has been detected early  ̶  security firms and Google have already taken steps to protect users. Users in North America appears to be the most targeted, with dozens of infections detected by the mobile security firm.

Advertisement. Scroll to continue reading.

 

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Discover strategies for vendor selection, integration to minimize redundancies, and maximizing ROI from your cybersecurity investments. Gain actionable insights to ensure your stack is ready for tomorrow’s challenges.

Register

Dive into critical topics such as incident response, threat intelligence, and attack surface management. Learn how to align cyber resilience plans with business objectives to reduce potential impacts and secure your organization in an ever-evolving threat landscape.

Register

People on the Move

Karl Triebes has joined Ivanti as Chief Product Officer.

Steven Hernandez has joined USAID as CISO and Deputy CIO.

Data security and privacy firm Protegrity has named Michael Howard as its CEO.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.