A new IRS tax spam campaign pumped up by the Cutwail botnet has been found to deliver â€žgoodiesâ€ for Android users as well, according to Dellâ€™s SecureWorks Counter Threat Unit.
Called Stels, this Android Trojan is a multi-purpose tool impersonating an Adobe Flash update. If it gets installed, the malware can intercept SMS messages, collect contact information and initiate phone calls, as well as install additional payloads from the web.
Interesting about this campaign is that the spam message embeds a link, rather than carries malware. As the user clicks on the link, the malicious web page at the other end of the connection checks the victimâ€™s user agent. If it is an Android browser, it installs the Trojan.
If the victim uses a Windows desktop, he is re-directed to a site rigged with the Blackhole exploit pack, where the browser and add-on security levels are assessed. When a vulnerable technology is found, the user is directed to the corresponding exploit, which plants a persistent piece of malware in the current campaign. If the exploit pack canâ€™t determine a vulnerable component, the browser is redirected to an affiliation scam site.
Judging by permissions, the fake Flash Player update is probably used for premium-rate calls and financial fraud, as SMS interception is a key component in seizing the mTAN (Mobile Transaction Authentication Number) â€“ a confirmation number necessary for money transfers and payments. This supposition is enforced by the fact that Cutwail has a long tradition in delivering other breeds of financial malware such as a peer-to-peer variant of the Zeus Trojan.
To be able to compromise the Android environment, the phone needs to accept the installation of applications from third-party sources (sideloading).
Bitdefender Mobile Security detects this Trojan as Andoid.Trojan.FakeApp.K.