In a new twist, spammers have built a botnet that sends SMS spam through infected Android phones, shifting the potentially pricey cost of sending spam to victims.
The trend, spotted by security vendor Cloudmark, poses a new challenge for operators. Victims whose phones are sending the SMS spam often do not know their phone is infected, and they could have their account suddenly shut down by their operator if abuse is detected.
“I think they [operators] are still working out how to deal with this,” said Andrew Conway, Lead Software Engineer with Cloudmark, which makes antispam products for operators. “This is fairly new.”
Cloudmark noticed that a server located in Hong Kong was hosting two Android games, “Angry Birds Star Wars” and “The Need for Speed Most Wanted,” for the Android mobile operating system. Both games were infected with malware that connects the phones with rogue servers that deliver instructions for a mobile spam campaign.
When connected to the rogue command-and-control servers, the victim’s phone receives a list of around 50 phone numbers along with the spammy text, Conway said. The malware on the Android device will wait a little more than one second after sending a message, then will eventually check in with the rogue server to obtain more numbers. If the phone is shut off and turned on again, the malware reboots and installs itself as a service on the phone, Cloudmark said.
In one example, the spam messages contained links to the malicious applications in hopes of infecting other users. In another example, the spam message falsely informed people they had won a gift card. But in order for the gift card to be delivered, the victim is asked to pay a shipping cost of US$5.95. Conway said the scammers then collect a victim’s personal details for further affiliate marketing campaigns, as well as a credit card number.
Spam via SMS (short message service) is nothing new. In the past, spammers bought SIM cards in bulk and inserted them into a SIM card bank to start a spam campaign. As the spammy numbers are shut down by operators, the SIM cards are swapped out with fresh ones.
But with that method, the spammers incurred the cost of buying SIM cards. They also had to be in the same country as victims in order to avoid international SMS sending charges.
The latest method neatly avoids both of those costs. Conway said using malware allows the scammers to conduct campaigns from anywhere in the world at no extra cost. The people whose phones are infected will incur the costs of sending the SMS messages, which could be expensive for some people with monthly SMS limits, Conway said.
“We may see not only does this cost less for the spammers, but if they can spread their spam over a larger and larger number of phone numbers…then it makes it harder to block this on an individual phone number basis,” Conway said.
Victims also face an additional problem if an operator decides to shut down their phone due to spamming. The malware also blocks incoming SMS messages, so if a recipient of a spammy SMS complains and sends a text message in response, the victim will still not know their device is being abused, Conway said.
The spammers appear to still be testing the method, but spam volumes are rising, Conway said. The recipients of the spam are so far just in the U.S. It appears that around 800 phones are infected with the malware. As recently as two weeks ago, the botnet was sending upwards of 500,000 messages per day.
Conway described the botnet as “primitive” and not at the level of sophistication of botnets that abuse desktop computers. But it does herald a new level of innovation among mobile spammers.
The best advice for Android users is to avoid downloading applications from untrusted sources. Google scans applications in its Play store for malicious behaviour, but unvetted Android applications are widely available around the Internet. Conway said he believes the campaign is geared toward exploiting younger Android users.
“The younger you are, the more likely you are to engage in risky behaviour with your mobile phone,” Conway said.
Recipients of spam can forward a suspicious message to “7726,” a short code for the GSMA’s Spam Reporting Service, which is run by Cloudmark. The company analyses the messages. Depending on how the operator wants to handle it, spam messages can be blocked or the malicious link within the message can be removed, Conway said.