A mobile botnet is so big it apparently has been in at least 64 spyware campaigns, researchers said.
The MisoSMS malware (Android.Spyware.MisoSMS) that powers the botnet is able to steal text messages and send them back via email to command and control (C&C) servers located in China, said researchers at FireEye. Over 450 unique email accounts have seen use by attackers.
Most of the devices infected with MisoSMS are in Korea. The attackers log in to the C&C servers that store the information from a number of locations, including Korea and mainland China.
FireEye has been collaborating with Korean law enforcement authorities and Web mail vendors from China in an effort to disrupt the threat’s C&C infrastructure.
All of the 450 email accounts spotted by researchers ended up deactivated. The good news is the attackers don’t seem to have attempted to register new ones. FireEye said it continues to monitor the evolution of the operation.
The MisoSMS malware goes out as an application called Google Vx. During installation, it requests administrative privileges to ensure it can hide its presence.
After the malware installs on Android devices, victims get an error message that says there is damage to the file and it can’t operate. It might appear to the victims that nothing ended up installed on their devices.
Once MisoSMS infects a device, it launches three services in the background. One of them is MisoService, from which the threat gets its name. The other two are RollService and BaseService. Each of them is responsible for certain tasks.
Click here for more details from FireEye.