Aug 10 AT 12:52 PM Justin Shapcott 35 Comments

Kaspersky reports Android’s first SMS-based trojan

According to Russian security firm Kaspersky, Android has been hit by its first SMS-based trojan. Claiming to be a media player, the offending 13KB Android Package (APK) requests permission to send SMS text messages on behalf of the user.

Once installed, the application then proceeds to send premium rate SMS text messages without further consent from the user. Of course, the important word to note here is “consent” because, as with other Android applications, this application specifically requests permission to use this feature, but then exploits it once granted. This can result in extremely high phone bills if not detected early.

Kapersky did not release the name of the specific application, and I suspect that there are (or will be) others that have simply not been discovered yet. As such, I can only recommend that we all do an audit of our installed applications (and possibly our phone bill) to make sure nothing unexpected is going on.

At this point, I must also reiterate something we have discussed several times here at Android and Me – Watch those permissions!

In several previous articles here the topic of permissions and the potential for their misuse has been addressed and has sometimes been met with surprisingly nonchalant responses. From these responses, it would appear that these people believe all users operate their smartphones in a secure way and only grant permission to applications they trust. The truth is, many (if not most) users don’t put enough thought into the permissions during the installation process, despite it being an important opportunity to know what an application plans to do, and to protect yourself from it. Again, we can’t say it enough: Watch those permissions!

I personally believe that, while Google has done a good job making sure that permission to use certain features be granted by the user, there are opportunities to put more emphasis on this decision by making the permission screen more clear in some cases, possibly adding checkmarks to certain risky permissions, and even allowing for the user to grant only some permissions to an application.

What do you guys think? Is this an isolated occurrence, or something we might see more of?

Via: The Register

Source: Kaspersky

Justin is the founder of and lead developer at nEx.Software.

    Most Tweeted This Week

  • http://Website Ebo-girl

    Fabulous. One more thing to be worried about.

  • http://Website trojandroid

    people would be surprised how many trojans and worms are on their phones, permissions or no permision. nice article but old news for some of us.

  • ER

    This is good. It just proves the openness of android. Just like you don’t click every stupid flash ad on your pc, don’t download stupid or shady looking apps on android. And this isn’t a security problem with android, the permissions were clearly stated

    • Justin Shapcott

      You are correct, it is not a security flaw with Android. This is a reminder that we need to be careful with our phones as much as (if not more than) with our PCs.

  • http://Website derek

    Get an iphone, no need to worry about viruses, trojans, or worms.

    • http://Website Merlin

      Ya all ya gotta worry about is that you might not be able to get an app running cause Big Brother doesn’t like it.

      • Justin Shapcott

        No, no, that’s not true… You also have to be careful about PDFs.

        • http://Website Chris

          4.0.2 took care of that.

          I do think the app approval process is subject though. But, it does keep nefarious programs like this “sms trojan” from appearing in the app store.

          • http://Website Daniel

            More or less, just look at how they let a flashlight app with a hidden tethering feature slip by. If they were actually that rigorous (instead of simply opening up the app and looking at it) there’s no way they’d have let that go under their noses.

            Anyway, far from perfect, but more secure than what we have on Android, indeed.

    • http://Website The_Omega_Man

      That’s because you can not do anything with an iPhone, nor can Anyone else!

      Oh and BTW iOS is, by design, and (DOS) Trojan! ;P

    • http://Website Droideka

      No you just have to worry about PDF documents taking over your iPhone…

    • http://Website Inspiron41

      you do release you can jailbreak the iphone by just visiting a website? That’s how they jailbreak the iphone and ipad in the Apple Store. That freakin scares me more. imagine what someone malicious intent can really do if they wanted to with the iphone/ipad..

    • Yoshiro Rindoji

      Stupid. Iphones are worse than androids.

      Stupid money eater.

  • Gomez

    I would be one of those dumb ass people that downloads app without looking at the permission I’m granting, but this will make me more aware. thanks guys, I’m sure it s apple trying to exploid this issue. It makes google bad, but like we have said before google needs a way to control apps a better way.

  • http://Website Alakar

    I will definitely be watching the permissions screen more closely. I also think it would be a great idea to have check marks next to the permissions. Some manual interaction during installation would be a good way of increasing awareness.

  • Richard Hoefer / twitter/

    I just want to say – on a tangential note — major hats off to Angie Strickland – your Designer – for her super clean and striking layouts! Your site, and its visual design is amongst the cleanest, freshest, and just visually communicative of all touchscreen industry sites — and there are a ton of them out there competing in the wild. She has done a tremendous job in the branding of your site, and establishing just a much higher degree of sophistication and publishing quality than any of the other sites I visit — And this includes the “big boys” who have money coming out of their ***es , engadget and gizmodo.

    So, cheers to Angie — and if you had any design assistants who did today’s layout, then this goes out to that person as well.

    One final note, since I dont post to blogs often.. I subscribe to your twitter channel, and I noted earlier today that y’all OFTEN do not include a link in your tweets. This is actually a small disappointment, especially in light of how you blow the competition away in the core content and presentation on your site itself. Given that Most people no longer can just hang out on even their favorite blogs — and now rely upon TWITTER as their primary discovery channel for news headlines, articles, opinions and analysis of interest, it’s really important , I feel, to always, and I mean ALWAYS, include a link in your tweets,– that is when you’re asking a question about content, as you have done often.

    I’m a UX designer by trade — and the fact that you don’t do that is peculiar. I don’t know if that is some editorial policy you actually dicussed, or if it is just the LACK of an editorial policy. But I strongly encourage you to always always include the link. In this regard, I cannot think of a better GOOD example that ReadWriteWeb … Crisp headlines/ or questions / and links . makes all the difference in the world.
    My 2 cents. But remember — this was primarily about major praise for angie’s visual communication talents!

    • Angie Strickland

      Wow! This truly makes my day. I always enjoy creating/designing for the site, but when you hear about how others are able to appreciate it too, it means a lot! Thank you for going to such lengths to call me out – again glad you like the work!

      As far as our tweets, we definitely agree on how much it helps get the news out when we have links. We usually tweet every one of our stories with a link back to the post. Maybe you caught us on a day where we have more tweets in reply to others, versus our usual content pushes. Either way, it is really cool of you to want to make sure we are doing the best for the site.

      Thanks again for your comment!

      • Richard Hoefer / twitter/

        Hey Angie, thanks for replying. I love design. In all media.

        You gotta admit it’s getting harder and harder to distinguish onself on the web in the post 2.0 era where layouts are so uniform — I mean let’s face it … even here, there are formats that are fairly tried and true, and once the formats are optimized– it gets harder and harder to distinguish between sites. That means DETAILS DETAILS DETAILS — and the specific choices you use to illustrate your stories. It’s always clean here — whatever it is that illustrates the main story, it reads as a design anchor for the whole page.

        Anyway, I notice.

        So — IF YOU DARE … tell me YOUR thoughts re how layouts get resolved as the defacto standards of the day. In some respects they are, theoretically, major constraints on the freedom of a designer to mix it up and imprint on the use a boldly unique presentation scheme. But, there is also “selective adaptation” going on in web design as with human evolution. As a UI/UX guy for almost 20 years now, I have seen, and been part of, so many things have, in various 5-10 phases worked themselves out into becoming UI standards. All the right side nav systems were tried, all the funky bottom nav systems or circle systems or what have you. Ultimately it got worked it through pure usability crunching — that category nesting was either going to happen at top of left — that’s it. And if you break that system, you better be doing a BMW marketing site or other special purpose one-off, vs hooking users into using site on a regular basis.

        I’m not quite sure who should be credited with the 4 or 5 (or 6) image promo rectangles across the top. We saw those for years, but not in a standardized way as they are now used EVERYWHERE… I’m just throwing out a site or two like iLounge — they were certainly doing it before most… But now it is, effectively a “standard” for a tech blog/news site — promo promo promo promo promo FEATURE and rotate.

        Nothing about it is new at all. Magazines have done it for a century. And TV has done it since the 70′s once inset graphics became possible.

        I guess what I am getting at is this:

        There’s the engadget paradigm now, including that “interest meter” thingamajig in the right column which y’all have adopted too. This is nothing negative. It’s part of the framework I am laying down to get your comment… BEST OF BREED UX has been puzzling itself together, piece by piece, element by element — and with the various social media tools finally whittling down to about or 5 (CORRECTION: on the better sites it’s finally collapsing down to about 4or 5, thank god! vs that stupid array of 30 or 40 miniature “repost it here” icons which finally finally not a moment too soon is biting the dust. I am harsh in that respect. It’s about time most of them go away. In my world view of UX, just because they exist is no good reason they should be patronized)

        Ooops, i note i have been on my high horse, pardon me. I had a long day. But there was always a question here, and here it is: SO, within all these evolving constraints, it’s harder and harder to DISTINGUISH and have a unique brand personality — So that’s why i gave you kudos.. From the logomark to your choices of illustrations, to the small details, you are using the somewhat minimal moveable tools you have at your disposal to keep it fresh and “yours”.

        So — there you go — its’s a two-fer — 2 days in row of design call outs!

        Are y’all in Austin? Somehow i thought i read that. and i see that BBQ thing that’s in austin… just askin since i went to UT years ago but haven’t been to austin in years. It was just becoming a tech center when I left for L.A. — then to SF … anyway, keep up the good work… and now like a lunar eclipse, maybe you’ll see me in another 5 years hah hah! As you can see — i am a rebeller against twit culture — i think i have just come up with a new name, i am sure it is taken: verbo

        Thats for verbose — diametric opposite. (goes to check domain reg… maybe i will buy that domain and convert the whole world to verbosity– hah hah, fat chance, everyone tells me to shut up)

  • http://Website anand

    This looks like here here the start. Detailed manual information during the installation would definitely help. I have always installed apps recommended here, does that help?

  • http://Website Steve

    Does anyone find it ironic that Kaspersky reports this trojan but their Mobile Security only covers Symbian and Windows Mobile OS? Not Android? Hmmmmm?

  • http://Website Andrew

    Misleading title?

    Is it just me, or does the title imply that this trojan is installed or infected via SMS?

    You have to install an application (an APK file) in order for this trojan to send SMS messages. I would NOT call this an SMS Based trojan; it is a Trojan that sends SMS messages.

  • n1

    Weak. No link to the source reference, no mention of the application, and no suggestions for ways to avoid it? I expect more from Android and Me.

    Application name is “Movie Player”.

    • Justin Shapcott

      At the bottom of the story there is a link to both Kaspersky and The Register, which served as sources for this story. Ways to avoid it are also described in the article, which you clearly did not read… Did you just want to post your link?

    • http://Website Ryan

      Fail. Clearly you missed the links at the bottom, but besides the obvious, the article sparked you to look into the problem. Had you not read this, you may not have ever seen it. So the article’s purpose was fulfilled.

  • http://Website dude

    I really like the idea of being able to install an app, but deny it some of the permissions it is trying to request. A lot of the casual games want the coarse location permission when they clearly only use it for targeted ads. I don’t mind ads, I just don’t want the advertisers tracking my movements.

  • http://Website chewtoy

    I, for one, would pay for a market service from a 3rd party where that 3rd party approved apps as secure and trustworthy. Make fun of Apple all you want, but that’s exactly why they only allow apps through the app store — they want the platform to be trusted. And for the most part it works.

    Google seems intent upon recreating all the security short-comings of Windows 7. While its approach is state-of-the-art in terms of giving users the opportunity to protect themselves, the model is fundamentally flawed — users don’t *want* to believe apps are dangerous. They *want* to click install no matter what.

    I’m a security professional and a sometimes programmer, and even I find it painful to cancel an install for an app I was excited to get. I would much, much rather have access to a market where I could know that someone else was reviewing all the apps for security and reviewing all the app updates as well. (Really don’t need appX updating itself after the review process or running downloaded code to bypass the review.)

    And Trojandroid, it would sure be nice if you would step forward and help make a big fuss about the trojans you know about — there’s no time like the present to get public scrutiny on security concerns.

  • @brykins

    The issue here is that (I am guessing) maybe 10% of Android owners read web sites like this. The vast majority are people that want a smartphone, or a phone with “apps” but who can’t or won’t go with an iPhone. And this includes a LOT of younger people who can’t afford an iPhone so an Android is a cheaper alternative.

    These guys will simply NOT read this and they also won’t check permissions, etc. They will assume that everything in the Market is safe just like Apple’s App Store. Google MUST do something about this – I don’t agree with Apple’s lock-down on their OS, but if Google and the phone manufacturers want mass take-up of Android devices then they have to sort out this potentially major problem.

  • Kinslayer

    One could change Android to allow only SMS’s to numbers in the user’s phonebook… but I think knowing what’s on your phone is the better way to go.

  • http://Website dave

    I’d like a way of stopping people from installing apps on my phone. It’s great that it’s running linux, but when I hand my Desire to my daughter to play Drop or whatever, it’d be great to know that she’s incapable of installing some other crap on it using the only user account possible.

  • http://Website deckrider

    I wonder if the “IM” application pre-installed by T-Mobile counts in this category.

    I stupidly didn’t realize it wasn’t using my data plan (uses SMS messages instead) when I had a short chat on Yahoo with a friend. Until I saw the extra $20 it cost me on my bill and researched why…

  • http://Website mirek

    wow, im glad i found this site. I wondered if trojans could hit phones. The ‘help and installation’ info that comes with the phone HTC desire.., is pretty poor and mentions NOTHIN about security.., pretty un/convienient.?

    is there an AV for the phone at all. mine does odd things at times but all computers do and smart phones.., so far are smarter than me im only new to them.

  • kaspersky indir

    wow, im glad i found this site. I wondered if trojans could hit phones. The ‘help and installation’ info that comes with the phone HTC desire.., is pretty poor and mentions NOTHIN about security.., pretty un/convienient.?

    is there an AV for the phone at all. mine does odd things at times but all computers do and smart phones.., so far are smarter than me im only new to them.

  • http://Website Marcus

    You are all idiots, Kapersky has a hiden trojan in it!


  • resor erbjudanden

    actually enjoyed the article you published actually. it just is not that easy to find even remotely good text to read (you know.. READ and not just browsing through it like some uniterested and flesh eating zombie before going somewhere else), so cheers mate for really not wasting my time! ;)

  • Dohn Joe

    There is a list of all the infected “approved” marketplace apps is here: