Over the last weekend (14th Sep.), we have seen the SpamSoldier malware come alive again. SpamSoldier is a type of mobile malware that turns your phone into a botnet that sends text message spam. How it works is it pretends as a game app, i.e. Angry Birds, Need For Speed, GTA, Minecraft. After install, it tries to install the actual game APK file packed inside, but meanwhile it does malicious activity in the background. This malicious activity includes sending thousands of spam messages that attempt to spread the malware.
We saw some testing in early September, but the infection went live with several new C&C servers being used a few days ago. The spam it sends so far is of the following format:
Android Gamers Download free full versions of Minecraft, Grand Theft Auto and Need for Speed at www.[MALICOUS DOMAIN]biz.cc
Download the Newest version of Angry Birds for Android phones for free at hxxp://[MALICOUS DOMAIN]gg.biz
The Newest version of Angry Birds for Android phones is Available free at hxxp://[MALICOUS DOMAIN]biz.cc
Clicking on these takes you to this
Apart from several new C&C servers that have been used in the new samples, there isn’t anything new in the code. Like the SpamSoldier outbreak from 2012, the malware periodically queries a C&C server, downloading a spam message template and a list of recipient numbers. The infected device then sends the spam message to the list of recipient numbers.
During their testing in early September, we found several APKs hosted on the site. However none of them was working due to the C&C server not being correctly setup, but the evidence pointed to a new potential campaign.
Since then, we have been monitoring their activity. We believe the spammer seems to be trying to reuse the old SpamSoldier code. However, based on the samples we have seen, it seemed the spammers were struggling with repackaging the malware, and setting up the C&C server. None of the C&C servers were able to deliver instructions.
Around 15th, we saw a C&C server go live and the start of SpamSoldier related spam activity in our customers, this spam contains a link to the malware. There have been only a few URLs hosting the malware used in this campaign so far, but all sites have been recently updated, hosting a fake AngryBirds app on site, plus each sample uses a different C&C server.
Different from the last campaign, where the spammer used the network to send large amount of spam, this time we believe it’s still in a heavily promoting stage, the spammer still seems like they are trying to build the network at the moment. We have also seen indications that they are attampting to send the spam from email to sms and so not just from mobile devices. However due to the early monitoring and blocking that we have put into place in our customers, and talking with our industry partners, so far we haven’t seen heavy spam traffic due to the malware, but we will continue to monitor.
Note: Samples currently active(MD5 hash):
156b7b5f84544d5a867b0b527d0fc660
9e1719a4cbc44823734071602e2425b2