A Trojan hiding in a legitimate-looking app is circulating through third-party Android app stores in China and taking thousands of users hostage while netting its creators up to $9,000 a day in fraudulent charges
Known as "RootSmart," the Trojan embeds itself in a rigged Android app called com.google.android.smart, which has the same icon as the app used to configure Android phone settings. According to Xuxian Jiang, the North Carolina State University professor who discovered it, RootSmart, once the Android customer unknowingly downloads it, sits dormant on the device, waiting for the victim to make a call or send a text.
Once initiated, RootSmart automatically begins delivering its payload, which includes harvesting the phone's operating system version number and IMEI number (a unique device identifier) and transmitting this stolen information (in an encrypted file to prevent reverse engineering) to a remote command-and-control server. It also automatically sends text messages to premium-rate numbers and connects to high-priced video pay-per-view sites.
"After that, RootSmart will download the GingerBreak root exploit from the remote server and then launch it to obtain root privileges on infected phones," Jiang wrote. (GingerBreak is a hacking tool used to root Android devices — to remove manufacturer-installed software.) "After obtaining the root privilege, RootSmart will download additional (malicious) apps from its C&C server and install them to the system partition unbeknownst to users."
Google did not immediately respond to an email for comment. It's important to note this Trojan was found in unlicensed app stores in China, not in the legitimate Android Market.
Symantec also looked into the deceptive Android Trojan, and found that it infects and compromises between 10,000 and 30,000 devices a day.
Of course, like nearly all malware, it's money, and lots of it, that keeps it going: Premium-rate texts cost between 15 and 30 cents per message, Symantec said. Over a year, with thousands of the devices infected, the numbers add up, netting the mobile malware authors between $1,600 and $9,000 per day, or up to $3.3 million a year.
There are some ways to keep your Android smartphone safe from Trojanized malicious apps. Never download an app from anywhere but the official Android Market, and even then, always check the reviews and ratings, as well as the developer information to make sure it's legitimate.
Make sure you are comfortable with the access an app requests, and if you spot your phone acting suspiciously — downloading files without your permission or sending texts — remove the offensive app. To make sure you always put up a fight against evil apps, keep your phone outfitted with a mobile anti-virus software product, a list of which can be found here.