December 26, 2011

Doctor Web—a Russian developer of IT security software—warns users of a new threat to mobile devices running the operating system Google Android. The malicious program discovered earlier by another anti-virus vendor has been added into the Dr.Web virus databases as Android.Arspam.1. The Trojan horse is designed to perform unauthorised massive SMS sending.

Android.Arspam.1 is embedded into the legitimate application AlSalah that works as a compass and helps Muslims determine the distance and direction to Ka'ba. The application also displays the current date and calculates salah timings. It should be noted that the application available in the Android Market does not carry any malicious payload, while a similar program distributed via Arab-speaking forums, as a rule, contains the Trojan horse. In other words, intruders added malicious features to AlSalah to perform their malicious tasks.

When launched on an infected device, Android.Arspam.1 creates and registers the com.awake.alArabiyyah service which will start with the operating system. Then the Trojan horse collects contact information found on the device and sends short messages containing links to forum posts, devoted to widely publicized events in the Middle East, particularly, to the Tunisian revolution, at each contact number. The posts contain photos of Mohamed Bouazizi who set himself on fire on December 17 2010—the event that triggered uprisings in many Arab countries. The list of links is contained in the Trojan horse code. In addition, if the SIM card is registered in Bahrain, the Trojan horse downloads a PDF-document containing Bahrain Independent Commission report on human rights violations in this country.

Android.Arspam.1 is the first known to date Trojan horse for mobile devices that sends out short messages related to politics. Despite its fairly primitive implementation, we should note a very sound approach to the choice of an application to make sure that messages sent by the Trojan horse will reach their target audience. Besides, since Android.Arspam.1 already can download files from remote hosts, in the nearest future we may expect new, more sophisticated modifications capable of retrieving configuration files or link lists that will be used to send short messages. The program may also evolve into a spam bot that will be used to create botnets. However, this may or may not happen in the future: to date, Dr.Web for Android Anti-virus+Anti-spam and Dr.Web for Android Light users are well protected against this threat.