Botnet steal text messages from Android handsets

19 Dec 2013

An IT security firm claims one of the largest botnets ever created was stealing text messages from handsets on Android platforms and sending them to Chinese and Korean servers.

Researchers at FireEye say they had discovered 64 Android botnet campaigns that belonged to the MisoSMS malware family.

According to FireEye, each of the campaigns used webmail as its command and control infrastructure, with the infrastructure comprising over 450 unique malicious email accounts.

The researchers said MisoSMS infected Android systems by deploying a class of malicious Android apps and the mobile malware masqueraded as an Android settings app used for administrative tasks.

On execution, the application secretly stole the user's personal SMS messages and emailed them to a command and control (CnC) infrastructure hosted in China.

''This application exfiltrates the SMS messages in a unique way. Some SMS-stealing malware sends the contents of users' SMS messages by forwarding the messages over SMS to phone numbers under the attacker's control,'' said FireEye researchers Vinay Pidathala, Hitesh Dharmdasani, Jinjian Zhai and Zheng Bu in a blog post.

"Others send the stolen SMS messages to a CnC server over TCP connections. This malicious app, by contrast, sends the stolen SMS messages to the attacker's email address over an SMTP connection," they added.

According to the researchers the MisoSMS was one of the largest mobile botnets that used modern botnet techniques and infrastructure.

The blog further said, ''MisoSMS is one of the largest mobile botnets that leverages modern botnet techniques and infrastructure. This discovery, coupled with the other discoveries from FireEye, highlights the importance of mobile security and the quickly changing threat landscape.''

According to the company, many of the email addresses which received the SMS were being accessed from mainland China and Korea.

The company had been worked with law enforcement agencies to shut down the email accounts and added there was no evidence yet of new accounts taking their place.