The mobile trojan Android.SmsSpy first appeared in April 2014. Initially it was distributed by SMS spam and its objective was to intercept two-factor authentication calls and messages. Now it has graduated, coming back refitted to phish for bank card details. It does this by presenting a fake Google Play Store panel, or in some cases mimicking a Russian bank log-in interface.
The trojan has been constantly re-released with updates; the most dramatic was noted at the close of 2015. The Russian security firm Dr. Web has been tracking the malware and identified last year that now the capability to phish for international banking credentials had been added; the pop-up phishing interface could be customized by the hackers to mimic the user’s specific bank. Also added was a screen-locking ransomware facility.
The malware’s distribution model was also upgraded from spam to a fake app masquerading as an Android version of Adobe Flash Player.
The Android.SmsSpy88 version is full of new, dangerous features. But it requires Administrative privileges and constant connection to the net. The user must accept and the (fake) Adobe screen to grant privileges to the trojan.
The connection is required to contact and receive instructions from a Control and Command server (C&C). Dr. Web researchers claim to have detected over 50 master servers which control at least as many botnets. This is one very well-connected trojan!
The network(s) of botnets exists because Android.SmsSpy88 is for hire – ransomware as a service (RaaS) has hit the road and gone mobile. The creator of the trojan and networks has been rolling out an extensive advertising campaign on the Dark Web, offering the use of his mal-infrastructure to other criminals.
According to Dr. Web’s stats, the trojan has so far infected at least 40, 000 mobile devices in 200 countries. The most infected of these was Turkey which took nearly 20% of infections, with India, Spain, Australia Germany and France following. Android version 4.4 has taken most of the hits (35.7%), though Android.SmsSpy88 has infected nearly all versions from 2.3 to 5.2.
“Android.SmsSpy.88.origin acts not only as a banking Trojan and a spyware program but also as a ransomware Trojan, allowing attackers to make more money on gullible users,” Dr.Web commented.