company “Doctor Web” fixed mass distribution of unwanted SMS-messages that contain a link to download Android-Trojan Android.SmsBot.75.origin, designed to steal confidential data from South Korean users, as well as invisible to send SMS. A few days attackers fired about 40 spam messages, and the total number of affected owners of mobile Android-devices can be several tens of thousands of people.
Fixed specialists of “Doctor Web” spam messages to inform potential victims about alleged unearned postal item, the status of which can be learned by clicking on the provided link in the text short. In the case of the transition to the specified web address the user is redirected to a fraudulent page blog hosted on Blogger platform from Google and decorated so as to create a false impression of his belonging to the courier service postal delivery. When you try to contact the provided information to the mobile device victim loaded Trojan Android.SmsBot.75.origin, hosted cloud storage Dropbox, where cybercriminals had a special account.
Thus, this spam campaign practically nothing no different from many other similar organized in South Korea, but in its scope, it is one of the largest in recent years. Thus, attackers fired almost 40 spam, and also engaged at least five different blogs containing links that lead to boot three modifications Android.SmsBot.75.origin.
In turn, according to open statistics available on one of these pages, the number of potential victims visited her a few days was more than 30,000. Given the total number of used fraudulent blogs finite number of affected users can be many times that figure.
To avoid causing unnecessary suspicion after its launch Android.SmsBot.75.origin drawn to the site actually existing postal and transport company and loads it into the mode WebView, ie displays as a web application. At the same time there is a removal of the malware icon from the main screen of the mobile device and service activation Trojan MainService, who quietly performs all malicious activity. In particular, the Trojan downloads the information from the phone book to a remote server, and then continuously from it expects revenue team, which will indicate the parameters for sending SMS messages – the recipient’s number and text. In addition, the malware creates a list of numbers, calls and SMS which are not visible to the user. Thus, Android.SmsBot.75.origin can be used not only as a spy or SMS Trojan, but also as a means to steal money from mobile banking systems.
Besides spam campaign said, Android.SmsBot .75. origin already spread by hackers using SMS and other unwanted mailings, where he stood out for some notifications received from the police, so it is possible that in the future take new scammers attempted attacks on users.