September 14, 2011

The leading Russian anti-virus vendor Doctor Web warns users about a new threat to Android. The new malicious program has been added to Doctor Web's virus database as Android.SpyEye.1. This program targeting Android is a modification of the known Trojan horse SpyEye.

If a user's computer is compromised by SpyEye, it significantly increases the risk of infection by Android.SpyEye.1 for the user's mobile device. When a user visits a bank site, whose address is present in the Trojan horse's configuration file, the malicious program injects content such as text and web-forms into the web-page. So the customer loads the bank site page in the browser on their desktop or laptop and sees a message informing them that the new bank security policy has been introduced and in order to get access to their account viathe Internet they need to install a special application that will suposedly prevent interception of ther short messages. Below the user can see a download link of the program, distributed as simseg.apk. The malware size is about 20 Kbytes.

Once it has been downloaded and installed onto a deivce, the application won't appear on the list of installed programs. To find it the user has to open the Settings applet, go to Applications and select Application management. The malware is hidden behind the "System" icon.

In order to activate this application according to the instruction proposed by criminals, the user must call 325000 from the device. Android.SpyEye.1 intercepts the call aid displays the activation code which the user will supposedly need to enter on the bank's web-site later—the code is always the same number 251340.

After that, all short messages received by the infected device will be intercepted by the Trojan horse and forwarded to criminals. Android.SpyEye.1 uses a special XML configuration file to determine command center addresses.

Android.SpyEye.1 may present danger to owners of mobile devices, since it is capable of transfering confidential information into the hands of intruders. The signature of this threat has been added to the virus database incorporated into Dr.Web for Android Anti-virus&Anti-spam and Dr.Web for Android Light.