Menu
Android SMS worm Selfmite returns, more aggressive than ever

Android SMS worm Selfmite returns, more aggressive than ever

A new version of the worm is causing infected devices to send thousands of spam text messages and has spread to 16 countries so far

A new version of an Android worm called Selfmite has the potential to ramp up huge SMS charges for victims in its attempt to spread to as many devices as possible.

The first version of Selfmite was discovered in June, but its distribution was quickly disrupted by security researchers. The worm -- a rare type of malware in the Android ecosystem -- spread by sending text messages with links to a malicious APK (Android Package) to the first 20 entries in the address book of every victim.

The new version, found recently and dubbed Selfmite.b, has a similar, but much more aggressive spreading system, according to researchers from security firm AdaptiveMobile. It sends text messages with rogue links to all contacts in a victim's address book, and does this in a loop.

"According to our data, Selfmite.b is responsible for sending over 150k messages during the past 10 days from a bit more than 100 infected devices," Denis Maslennikov, a security analyst at AdaptiveMobile said in a blog post Wednesday. "To put this into perspective that is over a hundred times more traffic generated by Selfmite.b compared to Selfmite.a."

At an average of 1,500 text messages sent per infected device, Selfmite.b can be very costly for users whose mobile plans don't include unlimited SMS messages. Some mobile carriers might detect the abuse and block it, but this might leave the victim unable to send legitimate text messages.

Unlike Selfmite.a, which was found mainly on devices in North America, Selfmite.b has hit victims throughout at least 16 different countries: Canada, China, Costa Rica, Ghana, India, Iraq, Jamaica, Mexico, Morocco, Puerto Rico, Russia, Sudan, Syria, USA, Venezuela and Vietnam.

The first version of the worm used goo.gl shortened URLs in spam messages that pointed to an APK installer for the malware. Those URLs were hardcoded in the app's code, so once they were disabled by Google, the operator of the goo.gl URL shortening service, Selfmite.a's distribution stopped.

The worm's authors took a different approach with the new version. They still use shortened URLs in text messages -- this time generated with Go Daddy's x.co service -- but the URLs are specified in a configuration file that the worm downloads periodically from a third-party server.

"We notified Go Daddy about the malicious x.co URLs and at the moment both shortened URLs have been deactivated," Maslennikov said. "But the fact that the author(s) of the worm can change it remotely using a configuration file makes it harder to stop the whole infection process."

The goal of Selfmite is to generate money for its creators through pay-per-install schemes by promoting various apps and services. The old version distributed Mobogenie, a legitimate application that allows users to synchronize their Android devices with their PCs and to download Android apps from an alternative app store.

Selfmite.b creates two icons on the device's home screen, one to Mobogenie and one to an app called Mobo Market. However, they act as Web links and clicking on them can lead to different apps and online offers depending on the victim's IP (Internet Protocol) address location.

Fortunately, the worm's distribution system does not use exploits and relies only on social engineering -- users would have to click on the spammed links and then manually install the downloaded APK in order for their devices to be infected. Furthermore, their devices would need to be configured to allow the installation of apps from unknown sources -- anything other than Google Play -- which is not the default setting in Android. This further limits the attack's success rate.


Follow Us

Join the newsletter!

Or
Error: Please check your email address.

Tags securitymalwaremobile securityGoogleGo DaddyAdaptiveMobile

Featured

Slideshows

Bumper channel crowd kicks off first After Hours of 2018

Bumper channel crowd kicks off first After Hours of 2018

After Hours made a welcome return to the channel social calendar with a bumper crowd of partners, distributors and vendors descending on The Jefferson in Auckland to kick-start 2018. Photos by Gino Demeer.

Bumper channel crowd kicks off first After Hours of 2018
Looking back at the top 15 M&A deals in NZ during 2017

Looking back at the top 15 M&A deals in NZ during 2017

In 2017, merger and acquisitions fever reached new heights in New Zealand, with a host of big name deals dominating the headlines. Reseller News recaps the most important transactions of the Kiwi channel during the past 12 months.

Looking back at the top 15 M&A deals in NZ during 2017
Kiwi channel closes 2017 with After Hours

Kiwi channel closes 2017 with After Hours

The channel in New Zealand came together to celebrate the close of 2017, as the final After Hours played out in front of a bumper Auckland crowd.

Kiwi channel closes 2017 with After Hours
Show Comments