Active mobile botnet enslaves thousands of Android devices

A trojanized Android application for configuring phone settings has been enslaving the devices of the customers of China’s two largest mobile carriers into a botnet numbering hundreds of thousands of compromised devices, say Symantec researchers.

The app was discovered on a Chinese third party marketplace, and once run, it installs both the original, legitimate app and the malicious one, which immediately contacts a remote server to which it delivers the device’s IMEI and IMSI number, the cell ID, location area code and mobile network code.

It also attempts to download another malicious package – a Remote Administration Tool for Android. And apart from allowing the botmaster to control the device from afar, the malware is also capable of other things.

“We have seen evidence of functionality to send text messages, block incoming text messages, log details of outgoing phone calls (including duration and target phone number), generate outgoing phone calls, updating the command-and-control server it contacts, and log and generate WAP access,” share the researchers. “More alarmingly, this botnet appears to capture and store a large amount of this data on its command-and-control servers.”

The researchers were able to find out a lot about the botnet in question after having discovered and analyzed a C&C server associated with it.

They discovered that the botnet has been active since September 2011, and the number of active, infected devices tends to range from 10,000 to 30,000 per day. It is used to earn the botmaster(s) money, by making devices send text messages to premium rate numbers, contact premium rate telephony services, and connect to pay-per-view video hosting.

Given the range of prices for these services, the researchers estimate that the botnet generates between $1,600 to $9,000 per day ($547,500 – $3,285,000 annually).

“The botmaster has a fine grained level of control over the infected devices. Depending on which premium service a device is attempting to contact, a number of configuration options are available to the botmaster,” they say. “For example, an infected device can be configured to send messages to a particular premium SMS number at a specific rate (three a day, for instance) for a certain number of days. Devices connecting to premium video or telephony services can also be configured for how long they should connect to a premium phone number or pay-per-view website. The botmaster may also configure which incoming messages get blocked by the malware. This is typically used to block messages from mobile operators, but it is further configurable to prevent messages from premium services being returned to the device.”

Even though the primary targets for this app are customers of China’s two largest mobile carriers, a small number of customers of other carriers have been infected, but their phones are not instructed to perform the aforementioned money-earning actions.

“This is not the first example of an active, revenue-generating Android botnet we have seen. However, considering the huge market for Android apps, the availability of third-party app stores without security checks, and the massive revenue which can be generated from this type of botnet, Android.Bmaster’s million-dollar botnet certainly won’t be the last,” concluded the researchers.