Premium-rate SMS malware survived in Google Play for weeks

July 12, 2012
7 34 2 1

Based on image from Symantec

A nasty bit of malware known as Android.Dropdialer has been hiding out in Google Play since June 24 and has managed to generate somewhere between 50,000 to 100,000 downloads. The malware was hidden inside two games “Super Mario Bros.” and “GTA 3 Moscow City”. The malware was discovered by Symantec and was removed from the Play store once Google was notified.

The malware managed to remain undetected for so long because the malicious components where downloaded separately, from a Dropbox account, and did not form part of the original package submitted to Google Play. “What is most interesting about this Trojan is the fact that the threat managed to stay on Google Play for such a long time, clocking up some serious download figures before being discovered. Our suspicion is that this was probably due to the remote payload employed by this Trojan,” wrote Irfan Asrar of Symantec.

The remote payload, known as ‘Activator.apk’, sends SMS messages to a premium-rate number in Eastern Europe. Once the message was sent, Activator prompts the user to uninstall itself. This was clearly a trick to make the user think that the Activator somehow registered the game and uninstalls itself once its job was done. This was of course partly true, but, rather than activating the game, it sent the costly SMS.

Unfortunately, this is a real-world example of how a malware writer can trick Google (and its anti-malware tester known as Bouncer). Also, anti-virus software on the Android device wouldn’t have helped too much, as the malware was previously unknown and, as such, any security software installed wouldn’t detect its presence.

The key to remaining safe is to always check the permissions. The Activator package would have had to specifically ask for the permission to send SMS messages when it was installed. This should always be a warning to Android users. Games don’t need to send SMS messages, neither do any registration or activation apps that they subsequently try to install.

Be vigilant!

Comments

  • Drem

    Haha, It was even in “Popular” thread in Google Play :D.