Security experts warned on Tuesday about what is believed to be the first Trojan targeting Android-based mobile devices that racks up charges by sending text messages to premium-rate numbers.
The Trojan-SMS malware, dubbed “Trojan-SMS.AndroidOS.FakePlayer.a,” is being distributed via an unknown malicious Web site, said Denis Maslennikov, senior malware researcher at Kaspersky Lab.
Users are prompted to install a “media player application” that is a little bigger than 13 kilobytes, but which is hiding the Trojan inside, according to Kaspersky and mobile-phone security company Lookout, which analyzed the threat.
Like all Android apps, the program asks for permission to do certain things upon install. In this case it asks for permission to send SMS messages, with a prompt that identifies it as a “service that costs you money,” as well as to read or delete data and collect data about the phone and the phone ID, Kaspersky and Lookout said.
Once installed, the Trojan starts sending SMS messages behind the scenes that cost several dollars per message, without the device owner knowing it.
It appears to be affecting Android smartphone users in Russia and to only work on Russian networks, Lookout said. “As far as we know, there is no indication that this app is in the Android Market,” Lookout said in a blog post. It was also reported on a Russian smartphone news site.
A Google spokesman provided this statement when asked for comment: “Our application permissions model protects against this type of threat. When installing an application, users see a screen that explains clearly what information and system resources the application has permission to access, such as a user’s phone number or sending an SMS. Users must explicitly approve this access in order to continue with the installation, and they may uninstall applications at any time. We consistently advise users to only install apps they trust. In particular, users should exercise caution when installing applications outside of Android Market.”
Android users must change a default setting to accept apps from outside the Android marketplace.
To tell if you are affected, review your bills for any premium SMS messages. Lookout also suggests that if you have recently downloaded a media player, check the permission to make sure the app is not sending SMS messages.
The company recommends that smartphone users only download apps from trusted sources, and avoid downloading media player files that request permission to access your text messages, particularly if they want to send messages from the phone.