Kaspersky Lab experts have recently spotted and analyzed an SMS Trojan for Android devices that is currently mostly targeting Russian users, and which along with the premium SMS-sending also attempts to steal money by emptying the victims' QIWI digital wallet.
QIWI is a electronic payment service popular in Russia and many other countries of the former Soviet Union, and can be used for payments and money transfers, to pay fines, telephone services and ISPs. The service also operates in the US, Brazil, Romania and several other countries. In November 2012 QIWI and Visa entered into a global partnership, and the QIWI Wallet was transformed into a co-branded Visa QIWI Wallet product.
Waller - as the Trojan has been named - is spread via SMS spam and third-party Android app markets where it is offered for download disguised as firmware, media players, and so on.
Once installed on a device, it contacts a C&C server to receive commands, and it is capable of doing much more than just sending pricy text messages. It can also update itself, download additional malware, intercept SMSes, and open specific web pages.
As noted before, it can also empty the victims' Visa QIWI Wallets.
"It does this by sending an SMS request to the number 7494. The message sent in response is intercepted by the Trojan and forwarded to its owners," researchers explain.
"If the owner of an infected smartphone has a QIWI account and Waller receives information that there is money in the e-wallet, then the Trojan can transfer the money from the user’s account to the QIWI account of the cybercriminals. To do this a command is given to the Trojan to send an SMS to the number 7494 that includes the wallet number of the criminals and the sum to be transferred. Up to 15,000 rubles (approximately $430) can be transferred per day."
The one good news is that the Android has not (yet) spread far, but it easily happen.
Users can defend themselves against this threat by installing security software, being careful which apps they install and from where, and by not activating (or de-activating) the "Developer mode" and the "Install applications from third-party sources" option.