For many years, cybercriminals continue to use malicious programs which can send SMS messages to premium numbers without the user’s knowledge, as one of the most preferred methods of generating illegal revenue. Despite this growing popularity of applications on-line banking has enabled virus writers to use in their attacks more “advanced” Trojan programs. In particular, this category includes Trojans belonging to the family Android.SmsBot, able to steal money from bank accounts of mobile device users. In this article to inform you about one such Trojans detected recently by security analysts of Doctor Web.
Just like other similar malware new Trojan, called Android.SmsBot.459.origin, it is distributed by cyber criminals through spam SMS. In this case, the potential victim receives a message allegedly sent by the person concerned by the victim advertised several things. The message encourages the victim to visit a website in order to obtain more detailed information about a possible deal. It is worth noting that in some cases criminals are turning to the victim by name – thus we can conclude that these well-planned attacks cyber criminals use specially created database of real advertisements. Such a scheme is very likely when you try to deceive the victim – if some time ago, someone tried to sell something online then this message will not cause any suspicion and a link to the site will open. If this happens, the Trojan APK file is downloaded to the device. However, in order Android.SmsBot.459.origin began its work, the user must install it yourself. If a user tries to open a link on a device running an operating system other than Android you will be redirected to an innocuous web page instead of the resource from which the file is downloaded Trojan.
Android.SmsBot.459. origin is hiding in the guise of a client application one of the popular Russian sites with ads and announcements. With the original program even borrowed its icon – in this way the potential victim will not have any doubt that has to do with a real platform and bulletin and advertising. Once the Trojan starts, it tries to gain administrator privileges to protect against removal. What’s more, through continuous prompting the user to grant administrator rights, the Trojan makes use of the device becomes almost impossible.
Android.SmsBot.459.origin sends to the server control and management information about the device, including the IMEI, the name of the mobile operator, operating system version. In response, the Trojan is instructed to check the equipment for the presence of mobile banking applications a number of financial organizations. Malware also checks the status of mobile account belonging to the user and his account at one of the popular Russian payment systems online. To do this, the malicious program sends special text messages to all of these services by hiding the answers received from the user and giving them to a remote server. It is worth noting that additional security mechanisms introduced in Android 4.4 and later makes Trojan can no longer hide SMS from the user – just a malicious program deactivates all sound notifications (including vibration) and erases the text in all incoming messages.
Android.SmsBot.459.origin can perform the following commands:
- ESMS & amp; & amp; & amp; – Send to the server a list of all SMS messages,
- getapps & amp; & amp; & amp; – Send to the server list of installed applications.
- sent & amp; & amp; & amp; – Send an SMS to a specified number of predefined text
- rent & amp; & amp; & amp; – Enable interception of text messages,
- sms_stop & amp; & amp; & amp; – Disable capturing SMS messages,
- USSD & amp; & amp; & amp; – Send a USSD request,
- export & amp; & amp; & amp; – Send to the server list of contacts,
- u & amp; & amp; & amp; – Set new address of the server control and management,
- sapp & amp; & amp; & amp; – Send through the app Viber message to a specified number.
In this way, if you have the money on any of these accounts, the cybercriminals can steal them by issuing the appropriate command. What’s more, the victim learns of the attack not in the time of the crime, but later, because the Trojan will block all messages containing codes confirmations and notifications concerning the implementation of financial operations.
Security analysts of Doctor Web once again warn Android users not to open suspicious links with text messages and install applications downloaded from untrusted sources. Dr.Web anti-virus for Android to successfully detect Android.SmsBot.459.origin and, therefore, the malicious program poses no threat to our users.
Source: Doctor Web
Can
No comments:
Post a Comment