A mobile botnet called MisoSMS is wreaking havoc on the Android platform, stealing personal SMS messages and exfiltrating them to attackers in China.
Researchers at FireEye lifted the curtain off the threat today, describing MisoSMS as “one of the largest advanced mobile botnets to date” and warning that it is being used in more than 60 spyware campaigns.
FireEye tracked the infections to Android devices in Korea and noted that the attackers are logging into command-and-controls in from Korea and mainland China, among other locations, to periodically read the stolen SMS messages.
FireEye’s research team discovered a total of 64 mobile botnet campaigns in the MisoSMS malware family and a command-and-control that comprises more than 450 unique malicious e-mail accounts.
FireEye security content researchers Vinay Pidathala said MisoSMS infects Android systems by deploying a malicious Android app called “Google Vx” that masquerades as an Android settings app used for administrative tasks.
The app uses a bit of trickery to install and hide itself from the user. Once it’s installed, the app secretly steals the user’s personal SMS messages and emails them to a webmail command-and-control.
Pidathala explains the SMS exfiltration method:
This application exfiltrates the SMS messages in a unique way. Some SMS-stealing malware sends the contents of users SMS messages by forwarding the messages over SMS to phone numbers under the attacker’s control. Others send the stolen SMS messages to a CnC server over TCP connections. This malicious app, by contrast, sends the stolen SMS messages to the attacker’s email address over an SMTP connection.
Pidathala said all of the reported malicious e-mail accounts have been deactivated as part of a mitigation strategy with law enforcement and security response officials in Korea and China.
Ryan is the host of the podcast series “Security Conversations – a podcast with Ryan Naraine”. He is the head of Kaspersky Lab’s Global Research & Analysis team in the USA and has extensive experience in computer security user education, specializing in operating system and third-party application vulnerabilities, zero-day attacks, social engineering and social networking threats. Prior to joining Kaspersky Lab, he monitored security and hacker attack trends for over 10 years, writing for eWEEK magazine and the ZDNet Zero Day blog. Follow Ryan on Twitter @ryanaraine.Previous Columns by Ryan Naraine:Massive Android Mobile Botnet Hijacking SMS DataArbor Networks: Beware of Bitcoin Alarm Utility Database Cloud Services a Malware Risk to Enterprises: ImpervaBug Bounty Flaws Remain Unpatched for 151 Days: StudyGoogle Blocks Fraudulent Certificates Used by French Government