Skip to Main Content
PCMag editors select and review products independently. If you buy through affiliate links, we may earn commissions, which help support our testing.

Mobile Threat Monday: Legitimate Android Apps Hide Text Message Stealing Trojan

This week, Malwarebytes points us to otherwise benign apps injected with malicious code that steals your text messages.

October 6, 2014
Image via Flickr user Tiago A. Pereira

If you fire up an app on your Android and it appears to be doing what you expect, everything is fine—right? Wrong. Dead wrong. So, so, so wrong. This was painfully illustrated this week by researchers at Malwarebytes who pointed us toward not one, not two, but three benign apps that carried a malicious Trojan within them.

The apps in question are Trojanized versions of QuickPic, iNoty, and Bluelight Filter for Eye Care. These apps will install and function normally, but have malicious code lurking inside. It's important to understand that legitimate versions of all three of these apps are available on Google Play—presumably malware-free. The attackers simply copied these apps, injected malicious code, and distributed them to victims.

SMS Snatchers
Malwarebytes says that the apps in question aren't available in any app store, but are instead hosted on the cloud-based file sharing service Baidu Cloud. We've seen similar attacks that use DropBox and other services to host and spread malware, but it's bit ironic because Baidu also makes antivirus software. This just illustrates that attackers will abuse any available tools to spread their malicious creations.

Once installed, the apps appear to function normally on the victims' Android devices. But the injected, malicious code is already hard at work monitoring incoming SMS messages. Malwarebytes told Security Watch that the malicious apps forward some messages from victim's devices and kill background processes.

What's the Big Deal?
Some of you may be wondering what harm can come from messing around with SMS messages, besides inconvenience. The answer is: a lot. While Malwarebytes wasn't clear on what the Trojan does with the intercepted messages, or why it intercepted them, it's not an uncommon behavior for Android malware.

To me, the most likely possibility is monetization. We've seen numerous, verging on the innumerable, examples where premium SMS numbers have been used to monetize malicious apps. In this scenario, the infected app signs victims up by sending an SMS from the infected phone. An additional charge—sometimes large, sometimes small—appears on the victims' bill. It's like those fundraisers that encourage you to donate money by texting a specific number, but used for evil.

SMS messages are also commonly used as a form of two-factor authentication. A bank, for example, might send a special code to a user's phone that must be entered before he or she can log in to their account. There are some examples of advanced malware, like Zitmo, that works in conjunction with PC malware to steal bank logins and two-factor codes.

Security companies also see a small, but persistent, amount of spyware on Android devices. These apps are usually installed by jealous spouses to keep tabs on their significant other. I have some pretty strong feelings about this kind of malware (spoilers: I think it's gross). Many of these apps are based on AndroRAT, and can retrieve and send SMS messages from an infected phone. Like the Trojan examined this week, AndroRAT can also be injected into safe applications to easily infect victims' phones.

Stay Safe
To maximize their earnings, attackers have to spread their malware to as many users as possible. But there are many limitations that naturally prevent just anyone from stumbling across a malicious app. First and foremost, the apps profiled this week by Malwarebytes are not on the Google Play store. Remember, if you stick with Google Play you're much less likely to encounter a malicious app.

Attackers that store their malicious apps on cloud-based file sharing services tend to use spam or phishing messages to direct victims toward the apps. These attacks are limited by language and other factors. Considering that Malwarebytes believes these malicious apps to be of Chinese origin and that they are stored on a Chinese cloud service, it's less likely that our U.S. and European readers will run into these apps.

But you can never be too careful. Be sure to avoid third-party app stores and question every link you receive—even if it appears to be from someone you trust. Lastly, we recommend installing security software on your Android to protect against threats like this. We've reviewed lots of Android security apps and recommend Editors Choice winners Bitdefender Mobile Security and Antivirus and avast! Mobile Security & Antivirus.

Like What You're Reading?

Sign up for SecurityWatch newsletter for our top privacy and security stories delivered right to your inbox.

This newsletter may contain advertising, deals, or affiliate links. Subscribing to a newsletter indicates your consent to our Terms of Use and Privacy Policy. You may unsubscribe from the newsletters at any time.


Thanks for signing up!

Your subscription has been confirmed. Keep an eye on your inbox!

Sign up for other newsletters

TRENDING