Not long ago, security experts have discovered a new Android malware family which has being distributed via SMS spam messages. After infecting victims’ devices, the newly-found malware has been secretly stealing money straight from their bank accounts.
The FireEye researchers called the new malware family RuMMS, and found out that it targeted only users living in Russia. The first infections hit users on January 18 and have continued until now.
According to FireEye, RuMMS managed to track down at least 2,729 victims since it was first seen. There were 380 infections in January, 767 in February, 1,169 in March, and another 413 in April.
Users should be aware that RuMMS does not use a complex distribution system. There’s no zero-day vulnerabilities, no Web-based exploits, no malvertising attacks.
Usually, cyber criminals targeted users with basic social engineering attacks, sending just a simple SMS which lures the victim onto a website, with the promise of seeing a recent MMS message he received from a friend.
After that, the website asks the user to download an app to view the MMS, which in fact is the RuMMS malware. The application asks for admin privileges when installing, which most users do tend to give.
As soon as this happens, the malware’s first actions are hiding its icons from view, starting collecting data about each victim, and sending it to a C&C server.
Once infected the system, RuMMS starts acting as a fully-fledged banking trojan. Besides, the malware will query various online services to see if the user has bank accounts, and will try to authenticate using the data found on the device.
Also, the trojan is capable of intercepting SMS and voice-based two-factor authentication mechanisms, allowing it to pass through the best security measures banks can deploy.
According the security experts, RuMMS never stole more than 600 Ruble ($9 / €8) from victims. Taking small sums allows the hacker to hide the money among a user’s regular credit card transactions, which are usually about the same size.
In order to spread to as many devices as possible, RuMMS will also carry out one last operation, and that’s to access the victim’s contacts list and send out mass SMS messages, with the same spam message the victim received earlier.
The nasty trick ensures that the criminals behind this operations don’t have to rely on their own data banks to infect users, and will count on the malware self-propagating, just like a classic worm virus.
FireEye has recently reported that they’ve detected around 300 different versions of RuMMS so far, and all the domains where the malicious APK was once hosted, are currently clean and harmless.