Is This Your Photo? No, It’s SMS Spam With Mobile Malware

One of the most important concerns of Internet users is privacy. For this reason one of the most effective phishing attacks is to claim that someone’s video or photo is public; thus the victim cannot resist clicking on the malicious link. Recently some people from Singapore (country code +65) have reported a new SMS spam campaign with the message “Is this your photo?” and a specific URL:

CASTILLO_SMS_SpamSource: DKSG

The message comes from a contact who was previously infected with the malware and includes the name of the receiver to increase its credibility. The URL included in the message is hidden using a shortening service and redirects to the control server that hosts the malicious application. Once the shortened URL is clicked, the file PhotoViewer.apk is downloaded. If the application is installed, the following icon appears in the home launcher:

CASTILLO_icon
The icon belongs to the popular legitimate application Photo Grid, which is available on Google Play. If the recently installed application is opened, the following image related to Photo Grid appears in full-screen mode:

CASTILLO_MainActivity
And that’s all! Apparently no other functions were implemented beyond showing these images. However, if we try to execute the application again, we find that the icon in the home launcher is gone. Does that mean that the application was uninstalled? Not really. We can find it in Settings -> Apps:

CASTILLO_App
So what is this app doing in the background? If we wait for a couple of minutes, the mystery will be revealed:

CASTILLO_SeveralAds

The main purpose of this malware is to obtain as much money as possible from clicks on full-screen ads that appear constantly and several advertisement modules bundled inside the application.

In addition to this payload, the malware has a mechanism to dynamically send SMS spam based on parameters provided by the control server and using the contacts stored on the device and the SIM card. (The isDebug flag is always false):

CASTILLO_SMS_Spam
So far we have seen the URLs hxxp://url7.me/tiNk1 and hxxp://url7.me/NwVk1 (both currently down) and the text “Is this your Photo?” used in the SMS spam campaigns. However, because these parameters are sent from a remote server, they could change at any time (possibly leading to more dangerous threats such as ransomware) if the control server comes back online or if a new variant, with a new server, is released in the wild. Another parameter retrieved from the remote server is “total,” which defines how many randomly selected contacts will receive the SMS spam.

A previous variant of this malware on Google Play pretended to be the famous game “King of Fighters” uploaded by the developer 8stars:

CASTILLO_KoF
Fortunately, the number of installs of this malware was very low (from 100 to 500) before it was removed from Google Play; but taking into account the new variant recently released in the wild, it seems that the malware authors are starting to use other methods and themes to distribute this threat.

McAfee Mobile Security detects this Android threat and alerts mobile users if it is present, while protecting them from any data loss. For more information about McAfee Mobile Security, visit this link.

Leave a Comment

two + nine =