AdaptiveMobile has discovered a previously unknown piece of mobile malware dubbed
Selfmite.
The malware spreads via SMS and fools users into installing a worm app which propagates by automatically sending a text message to contacts in the infected phone’s address book. The worm then requests users to install another legitimate app via an advertising platform; the author of the worm is paid every time this legitimate app is successfully installed.
AdaptiveMobile has detected infected devices on operator networks in North America and is blocking the spread of messages containing links to the worm. The worm was first discovered in the US where the worm seems concentrated, but activity has also been recorded from a dozen countries worldwide.
The worm spreads by sending users the following SMS which contains a URL that redirects to the malware: ‘Dear [NAME], Look the Self-time, http://goo.gl/[REDACTED]'. If a user clicks on the goo.gl shortened link, they are invited to download and install an APK file which appears as an icon on their smartphone menu, after installation.
Once launched, Selfmite immediately reads the device’s address book for a name and phone pairing and sends the message to 20 different contacts using the name as a greeting. After sending the malicious SMS messages to the new potential victims, the user will be invited to download and install Mobogenie which is a legitimate app for managing and installing Android apps.
“There is a monetisation aspect to this worm. To redirect users to the Mobogenie app, the Selfmite worm uses an advertising platform, therefore we believe that an unknown registered user of the advertising platform abused a legal service and attempted to increase the number of Mobogenie app installations using malicious software,” said AdaptiveMobile’s Denis Maslennikov.
In addition to impacting users billing plan, by automatically sending spam messages, the worm puts the infected device in danger of being blocked by the mobile operator. AdaptiveMobile has contacted Google and the malicious URL has already been disabled.
To learn more specifics visit AdaptiveMobile at the link below.