December 2, 2011

Doctor Web—a Russian anti-virus vendor—warns users about a large number of malicious programs found among applications available in the Android Market. All this programs belong to the Android.SmsSend family and can send paid messages without user's consent. When Google received a notification from Doctor Web, these applications were removed from the Android Market promptly.

Doctor Web's virus analysts found over 30 malicious programs that can covertly send short messages at premium numbers While these SMS Trojan horses don't incorporate unique technologies and have been used by many criminals all over the World Wide Web, they can still harm victim's welfare as funds are withdrawn from their account for each message sent by the Trojan horse.

It is not the first case when Android Market becomes a source of infection.. Android.DreamExploid and Android.DDLight were discovered in the market earlier. However, this incident is the first one when Trojan horses are found in such large numbers.

By now Doctor Web reports 33 malicious programs of this type from two developers discovered in Android Market. The scheme used by criminals to spread the malware is rather unusual: malicious programs are marketed as image databases enabling users to change the desktop wallpapers and they really can do it. Various Image topics are available ranging from computer games to nature photos. Malicious applications can also be disguised as horoscope or diet making software, torch applications, etc. They feature minimalist interface and useful features, when available, serve only to conceal the true purpose of virus makers—send short paid messages from a compromised device.

Additionally, criminals use a simple and yet efficient trick to attract users' attention to malignant applications. They add unrelated but frequently used word combinations including popular game titles such as Angry Birds into programs' descriptions. As a result, links to such programs are often shown at the top of search results in Android Market.

The operating principle of these malicious applications is mostly the same. When launched, the user is shown a message prompting them to accept certain terms but no agreement containing the actual terms is displayed. Here the last word in the text is a hyperlink to a page containing the license agreement but the link is displayed as plain text. A user has to try very hard to find a link concealed in such a way. Little wonder that once the user agrees to the terms by pressing a corresponding key, the application immediately attempts to send a paid short message.

Applications from the other developer employ a slightly different trick. When launched, they offer a user to accept a license agreement by pressing a button or view the agreement text by pressing another one. However, the agreement is published on a third-party website currently unavailable, so the user can't learn about the actual agreement terms. After receiving a confirmation, the application immediately tries to send an SMS.

Google has already removed these malicious programs from the Android Market and corresponding virus definitions have been added into the Dr.Web virus databases