SMS-sending Trojans have been around ever since mobile devices became widely adopted, and they’ve been responsible for a huge number of racked up phone bills and premium number subscriptions, generating significant financial losses around the world.
These types of Trojans are built for a single purpose – to generate revenue for cybercriminals by covertly infiltrating devices and taking control over SMS sending and receiving functions. This is a very effective and easy way of making money, as it’s completely untraceable until the damage is already done.
Because users are unaware of sent text messages, the malicious behavior is usually revealed when large phone bills show up or when credit disappears in a matter of days.
One of the most common infection methods with SMS-sending Trojans is through applications downloaded and installed from third-party marketplaces that don’t usually sanitize apps with the same level of scrutiny as official marketplaces. This allows cybercriminals to use legitimate applications – usually paid – inject malicious code with the promise that the downloaded applications will contain the full version, without having to purchase it.
This method is quite effective at getting users to sideload (or install from non-official marketplaces) applications, as some users don’t want to actually buy apps. However, apps in official marketplaces have on occasion been known to behave maliciously and exhibit malicious SMS-sending abilities. In fact, these apps were so sophisticated at the time that they even had CAPTCHA bypassing mechanisms, specifically for skirting validation from premium-rated numbers.
Other infection methods that are usually a bit more complex involve the use of zero-day vulnerabilities (vulnerabilities that were previously unknown) – usually in browsers – triggered by malicious URLs. Whenever a user opens an attacker-crafted link, he could be redirected to a webpage that might enable an attacker to remotely exploit and control an Android device. Of course, this involves a high degree of sophistication from the attacker, and such Android vulnerabilities are usually exploited to deliver other types of threats, such as remote access Trojans (RATs), rather than SMS-sending malware.
How it works
As soon as an application infected with a SMS-sending Trojan reaches your device, it seizes SMS sending and receiving capabilities. This means that it can send and receive text messages without users knowing about it, while also hiding notifications.
These Trojans usually try to contact more than one premium-rated number, with services per text messaging sometimes reaching a couple of dollars or euros. These are usually adult services to which the attacker has some sort of affiliation, meaning that for each subscribed user the attacker receives money. Some of these services have begun incorporating features meant to prevent automatic subscription, such as two-factor authentication or CAPTCHA. But the SMS-sending Trojan can also read incoming emails, so it can intercept these one-time authentication passwords and make the process look legitimate.
Protection and Remediation
Users should avoid downloading and installing applications from untrusted or third-party marketplaces, especially apps that promise fully unlocked features for otherwise paid apps. These apps are usually injected with SMS-sending Trojans and other malware and lure victims with the promise of fully unlocked features to popular apps. Sometimes cybercriminals leverage the name of popular applications, such as Angry Birds or Pokemon Go, to create malicious apps that have nothing to do with the original application.
Removing the malicious Trojan is sometimes as simple as using the built-in uninstall features in Android. However, these malicious applications usually hide their names under aliases designed to trick users into believing they’re system apps. For example, one such malicious application could use an alias like “com.android.system.service” or “com.android.system.manager” when users would look it up in the uninstall manager, but use a different name, such as “Download Manager” on the start screen.
It’s also important to go through permissions whenever you install new applications, as sometimes they are dead giveaways that the app will perform activities it shouldn’t. For example, a racing simulator asking for permission to send text messages should raise an eyebrow, as this feature is not likely needed in the game. Consequently, any application that tries to access SMS-sending permissions should have legitimate rights to do so, or it may not be the real deal.
The best way to keep your device save from SMS-sending Trojans is to always use a mobile security solution that can scan apps before installing them. Even if you’re downloading apps from official marketplaces or third-party stores, a mobile security solution can assess whether they’re malicious and prevent them from installing on your device.