Android Trojan targets Russian Android users

We received a malware sample this week which pretends to be a simple “MoviePlayer” for the mobile phone operating system Android. During the analysis we found that the “MoviePlayer” functionality is fake and the Trojan just tries to send three SMS to expensive Russian Premium numbers. Two SMSes get sent to the shortcut number 3353 and one to the number 3354.

After the Trojan has sent the SMS to these Russian Premium numbers, it will create a “movieplayer.db” SQLite Database and insert “was” into the first table – this is used as infection marker so that the Trojan just sends the SMSes once. The malware authors may try to stay below the radar this way – 3 premium SMSes don’t cost as much as hundreds and thus the victims may not even notice that they were ripped off.

This piece of malware is not very wide spread because it wasn’t available through the official Android Market. Potential victims would need to download the malware to their memory card, allow “non-market” applications to be installed and then finally install the Trojan, allowing it to send SMSes during that task.

Avira is detecting this mobile Trojan as “TR/SMS.AndroidOS.A” starting with VDF

Thomas Wegele
Virus Researcher