Tuesday, September 24, 2013

Discovered the largest botnet of mobile devices running Android - Computerra-Online

Author: Andrew Cornflower September 24, 2013

Russian developer of anti-virus software “Doctor Web” reported the identification specialists of the largest of all known botnet consisting of infected smartphones and tablets running Android.

Currently, the botnet is formed over two hundred thousand units, and the number continues to grow. All of them are infected with one of the large family of Trojans Android.SmsSend, also collectively known as Trojan-SMS.AndroidOS in terms of another national developer of anti-virus solutions – “Kaspersky Lab».

These Trojans perform unauthorized sending of SMS to short numbers and sending messages on the address book, redirected to infected websites, steal personal information, make out paid subscriptions on behalf of the user without his knowledge or perform other malicious actions. In some cases, using them to mobile devices is the introduction of other victims of malware, including remote control tools (backdoors).

The bulk of the family Trojan is distributed as a separate installation packages (. apk), posing as a range of free applications. More advanced use the built-in functionality of Android advertising and are presented as a highly recommended update for already used software. Most often offered to upgrade your browser and flash player.

& # x41F; oddelnoe upd , ovlenie brauzit & # x435; Mr. Opera Mini (shown s: threattracksecurity.com)

Fake browser update Opera Mini (image: threattracksecurity.com).

text messages, masking a link to the Trojan will typically contain errors or may occur in the application windows, it is not associated with the “updated” components.


Trojan code embedded in legitimate software installation packages. Because of obfuscation techniques, some of them even pass the entrance control system for a while and Bouncer distributed through the official app store Google Play.


developer account costs the attackers only $ 25. These modest costs more than compensated, as before removal program from Google Play it time to download tens of thousands of users.

increase in the number of mobile botnets since late last year confirmed by experts of the American company Cloudmark.

This time, more than half of the affected users registered on the territory of Russia. Large number of them, and among the inhabitants of Ukraine and Kazakhstan. Geographic distribution includes Europe and the U.S., but the frequency of occurrence Android.SmsSend there is much lower – of a percent.

Card infected can & # x431; milking unit stv, forming & # x438;'s botnet (iso & # x431; expression: drweb.com)

map of distribution of infected mobile devices that form a botnet (Image: drweb.com).

unwitting participants in a botnet Among the most subscribers of MTS Russia. Their smartphones and tablets account for just under a quarter of botnet nodes, and along with fellow sufferers from Kazakhstan and Ukraine – more than a third. The overall picture distribution operators corresponds to the balance of power in the “big three».

The distribution & # x435; infected ab , onentov by the operator & # x440; Ator honeycomb ; first link (image tion: drweb.com)

distribution of infected subscribers by mobile operators (Image: drweb.com).

The bulk of the device are detected botnet infected modifications Android.SmsSend numbered 754 (installation package Flow_Player.apk, simulates a media player), 412 (spreads as a mobile browser) and 468 (stated as a client for the social network “Facebook”) . It is noteworthy that for some versions have administrator privileges to them upon request, provide the user.

Android.SmsSend.754 politely request session gave IT & # x442; s him the right to adm inistratora (and & # x437; considerations: drweb.com)

Android.SmsSend.754 politely asked for him to have administrator rights (image: drweb.com).

Most varieties of Trojan

was added to the antivirus databases in the spring and summer, but one of the varieties (under the number 233) has been used since November last year. Despite the remoteness of the threat and the well-known mechanism of dissemination, users are still vulnerable. The reason is simple: most of the owners of smartphones and tablets do not even consider it necessary to use a free anti-virus programs.


hidden activity of certain Trojans harms only those directly affected by their actions the owners of smartphones, the formation of a botnet – it is a collective threat to a new level. Its existence is technically possible only because of the weak “immune layer” – a small percentage of users who pay due attention to the basic issues of information security.

Preliminary estimates of the total damage from the Trojan family activities as part of a botnet Android.SmsSend the hundreds of thousands of dollars.

See also

No comments:

Post a Comment