The reported in late June Selfmite.b SMS worm for Android, created to use affiliate marketing for making money, has been spotted to have a new, more aggressive scheme for its purposes than the earlier version.
The spreading method uses the SMS service of the infected devices for contaminating with the worm, and its creators have found a new way for delivering it. Now its analysts have found that it actually injects a code into the original Goggle Plus application.
Once installed the malware starts sending text messages to all contacts from the devices’ contact list, containing shortened with the GoDaddy service e(x.co) URL links leading to the application.
When the Selfmite.b has sent messages to all contacts from the contact list it starts the process again, leading to possible increased phone bills for the victims. It’s known that the Selfmite.b threat has managed to send about 150,000 text messages from more than 100 infected devices in 16 countries for no more than ten days.
This version of the malware has several changes possible which basically means that its creators have become more coordinated and are trying get the most out of it.
Configuration File Downloaded in the Upgraded Version of Selfmite.b
When it appeared first, the Selfmite.b malware purpose was clear – send text messages to a number of contacts from the contact list and infect the victim’s device with the Mobogenie application. The second one was most important for the creators as they were getting paid for each application installment.
The people who found the first version of the worm – researchers at Adaptive Mobile, noticed that the pirates have added more complicated set of instructions, downloaded by the malicious software from a command and control server, to the later version of Selfmite.b.
The configuration file is set to instruct the malware to promote the services the creators get paid for according to the IP addresses of the victims. Thus, the users in different geographic regions get different content.
Two icons appear on the Android screen, and if users click on one of them, the content depends on their country of origin.
For example, a user from Ireland will get a premium subscription page while a user from Russia will get the Mobogenie application, just as in the earlier version of the malware.
More Money-Making Options for Selfmite.b
There is a compromised Google Plus application used by the configuration file for making more money with the malware. When entering the application users get redirected to a different one in Google Plus, may be a part of the paying per installation scheme as well.
A subscription offer for a certain service subject to change depending on the configuration file is opened in the web-browser of the mobile device upon closing the application, Adaprive Mobile says
The creators ensure a revenue stream from referral networks and advertising by offering unsolicited content to users.
If a text message is accessed by an infected victim from an iOS device, the shortened URL leads to the fitness application in the Apple Store, the Adaptive Mobile researchers say.
Having much more aggressive approach the later version of the Selfmite.b malware has infected more victims than the earlier one. Its various ways of monetization together makes the later version quite a serious issue, the researchers say.