New Adware and Backdoor Malware Hits Mobile Devices

23 May 2012

The Android OS is the most popular target for developers of mobile malware, with practically all new mobile malware directed at the Android platform. The majority of mobile attacks and their malware originate from and attack third-party markets — particularly in China and Russia.

In most cases, this malware is not in the official Android market. Although Google’s app store has suffered some malware incidents, app stores are the safest way for consumers to purchase apps. McAfee Labs researchers strongly advise installing software only from the official market to reduce the risk of compromising your Android device.

Among the new threats are variants of adware and mobile backdoor malware, some very simple premium-rate short message service (SMS) sending malware, and even more destructive malware that targets photos stored on Android devices.

Mobile Adware
Mobile adware displays ads on a victim’s phone without permission. (This does not include ad-supported games or apps.) Adware ranges from wallpaper with added sales pitches (Android/Nyearleaker.A) to fake versions of games that send visitors to advertising sites (Android/Steek.A). Although adware doesn’t necessarily reduce users’ security, it does subject them to unwanted ads.

Mobile Backdoor Malware
Backdoor Trojans on Android devices are getting more sophisticated. Instead of performing just one action, they gain control of a victim’s device and launch additional malware. Here are a few examples of this type of malware analyzed by McAfee Labs researchers:

  • Android/FoncyDropper.A — Gains control of the smartphone and launches a bot that receives commands from the attacker. It also sends premium-rate SMS messages based on the SIM card’s country code.
  • Android/Rootsmart.A — Downloads Android/DrdLive.A, a backdoor Trojan that sends premium-rate SMS messages and takes commands from a control server.
  • Android/Stiniter.A — Downloads additional malware and sends information from the phone to sites under the control of the attacker. It also sends text messages to premium-rate numbers, using the attacker’s control server to remotely update the text message body and the number the hijacked phone sends to.

Mobile Photobombing Malware
Android/Moghava.A is one of the first destructive Android Trojans. This malware does not target the victim’s apps — it targets the victim’s photos. Moghava.A searches for photos stored on the SD card, and then adds the image of the Ayatollah Khomeini to each picture — and continues to add the image to the pictures until there is no space left on the card.