After a public outcry and a write-in campaign failed to convince the creators of ‘Dog Wars’ to discontinue work on their app, it appears that protester(s) have now taken to targeting the users of the app directly in order to get their message across. Symantec has discovered that a Trojan code was planted into an older version of ‘Dog Wars’ (Beta 0.981) that can still be found circulating on warez sites. This version has not been found on the official Android Market.
Agreement by the user to grant the permissions requested by the app (which will include SMS permission) will allow for the the app to be installed. Upon installation, the display icon of the legitimate app looks almost identical to that of the app that has been bundled with the Trojan (on devices with a screen size of 3 – 3.5 inches). In fact, they looked so similar, we almost failed to spot this one difference several times; but closer inspection into the icon of the app containing the Trojan revealed that it actually says ‘PETA’ rather than ‘BETA’ in the app icon.
Internally the Trojan code has been injected as a package called ‘Dogbite’. Once a compromised device starts up, a service called ‘Rabies’ is initiated in the background, which carries out the core functionality of the app.
Once started, the service proceeds to send out a text message to everyone on the contact list of the compromised device with the following message: “I take pleasure in hurting small animals, just thought you should know that”
The final action carried out by the service is to send an SMS message to “73822” with the single word “text”.
After a bit of researching, we have established that this was an attempt to sign up the compromised device (only works in the US) to a text/alert service operated by PETA. (Instructions for users to unsubscribe themselves can be found here) In spite of the fact that few clues have been left behind, we have no reason to believe that PETA had anything to do with this app, and that it is most likely the work of someone attempting to associate the app with PETA or to gain sympathy by the association. Symantec is detecting this threat as Android.Dogowar.