July 25, 2013

Russian anti-virus company Doctor Web has discovered several malicious programs on Google Play that install Android.SmsSend Trojans on mobile devices. The Trojans send short messages to premium numbers and deplete subscriber accounts. Google was promptly notified about the incident.

The programs, discovered by Doctor Web's analysts, belong to the Vietnamese developer AppStore Jsc. They are disguised as audio players and a video player that displays adult content.

The table below is based on Google Play statistics. It provides information about the number of users who have installed these applications:

The total number of installations of these three programs ranges between 11,000 and 25,000.

These applications appear harmless. However, they incorporate an extra apk-file that contains an Android.SmsSend Trojan. While running these carrier applications, dubbed Android.MulDrop, Android.MulDrop.1, and Android.MulDrop.2 by Dr.Web, can prompt the user to download the content they need, but their consent initiates the installation of another application rather than the downloading of files. For example, the video player program offers to get the user new adult clips.

If the careless user agrees to install a suspicious application, the Trojan Android.SmsSend.512 will be installed on the device. The program covertly sends short messages to the short number 8775 which is specified in the malware's configuration file. It is noteworthy that this Trojan really does enable a user to view adult video clips. Apparently, the attackers implemented this feature to avoid unnecessary suspicion.

As for the second and third Trojan carriers, they contain malware dubbed Android.SmsSend.513.origin. It operates similarly to Android.SmsSend.517, but, unlike the latter, it acquires information about short numbers from a command and control server.

Devices running Dr.Web for Android are well protected from these malicious programs whose signatures were promptly added to the virus database.