The recent discovery of an Android SMS spam botnet by Cloudmark, which is detected by Symantec as Android.Pikspam, has gained media attention. While delivering spam by botnets is nothing new, mobile technology has opened up new attack vectors to cybercriminals who are using the proven attack techniques of social engineering and spam with success on mobile devices.
The attack consists of SMS messages advertising free versions of popular games, or possibly to inform you that you have won a prize. Unsuspecting victims who receive the text messages and follow the link can download a Trojanized app from a third-party website. To activate, a victim is required to click an icon (like the one shown below). The Trojan installation is hidden from the user and traces of its presence removed while it installs the legitimate app onto the user device. Victims only see the advertised app, duping the victim into believing that all is safe.
Figure 1. Trojanized app icon
Once active, the Android.Pikspam Trojan will continually connect to a command-and-control (C&C) server and retrieve text for SMS spam messages along with a list of phone numbers. SMS text messages similar to the one the victim received are then sent from the victim device to the phone numbers previously retrieved, a report is sent back to the C&C server, and the cycle begins again to further spread the Trojan:
Figure 2. Android.Pikspam attack sequence
Known Android.Pikspam C&C servers include the following:
The migration of successful attack techniques from computers to the mobile platform has been predicted by many and a trend we will continue to see. If you receive SMS spam, you can forward it to 7726 (S-P-A-M). Also, to stay safe, Symantec recommends you only download apps from well-known and trusted app vendors and install a security app, such as Norton Mobile Security or Symantec Mobile Security, on your device. For general safety tips for smartphones and tablets, visit our Mobile Security news site.