April 15, 2011

Doctor Web—the Russian anti-virus vendor—unveils the discovery of a malicious program belonging to the Android Spy family. The malware poses a threat to owners of Android smart phones. Once the Trojan horse gets onto a mobile device, it covertly starts sending SMS spam as commanded by criminals. In addition, Android.Spy.54 adds certain web-addresses to browser bookmarks on the smart phone. Most probably, the new threat for the Android platform has come from China.

The Android.Spy malware family targeting Android became well known in autumn 2010. In addition to retrieving and modifying contacts and short message information, sending SMS, and positioning, Android.Spy can also set themselves to be launched automatically. Some variations can also be loaded when the smart phone is turned on, but their purpose is to collect the smart phone's ID information, set certain search parameters in the search engine forms and to open links.

The new Android.Spy modification was discovered by Doctor Web's analysts on April 12, 2011. On the same day it was added to the Dr.Web virus database. For now only Dr.Web detects this piece of malware. It is worth mentioning that malicious programs for Android appear with increasing frequency. Only two weeks ago a new version of SMS Trojan Android.SmsSend was discovered.

Android.Spy.54 was found on the Chinese Internet resource www.nduoa.com — a web-site offering a collection of applications for the Android platform. The Trojan horse was the part of the program Paojiao - the widget, allowing users to make calls or send SMS to selected numbers. Spreading with a legitimate program is a standard model for the malware family Android.Spy.

The new modification of Android.Spy registers a background service, which connects to a malicious site and sends to criminals the victim's identity information (such as the IMEI and IMSI). In addition, the Trojan horse downloads an xml-file containing commands that make it start sending spam SMS from the compromised device and add certain sites to the browser bookmarks.

If a program unexpectedly requires additional privileges for its operation, it indicates that the application you are installing incorporates malicious features. For example, if a genuine game only needs access to the Internet, an infected version will ask for higher privileges. If you know that an application that caused your concern, is not supposed to work with SMS, calls, contacts, etc., it is not recommended to install it. In addition, to protect your smart phone, you can use Dr.Web for Android, available for download from the Android Market and Doctor Web's site.