Android phones hijacked for botnet

If you’ve downloaded any free Android games recently and don’t have an unlimited SMS plan, you may be in for a nasty surprise when the next phone bill hits the mat.

Hackers have been offering free, booby-trapped games, including Angry Birds Space, Grand Theft Auto 3 and Need for Speed Most Wanted, to hijack users’ phones for a spam botnet.

Other techniques include – cheekily – offering anti-spam software and free gifts from retailers such as Target.

Users falling for the scam download apps from a server in China, and are then told they must grant the app permission to install and give it the ability to browse the web and send texts. While this is both unusual and unneccessary, many users won’t think about it too much.

“Once installed, the trojan initiates a connection to a command and control server,” says Andrew Conway of security firm Cloudmark.

“The C&C server replies with both a list of spam target phone numbers as well as the message payload to deliver.  After the payload is retrieved the application would duly start SMS spamming, reporting back to the C&C server on each message sent.”

And it’s pretty prolific, waiting 1.3 seconds between each message, and checking with the C&C server every 65 seconds for more numbers – which it harvests in batches of 50.

While the attacks started as far back as October, says Cloudmark, they’ve ramped up considerably in the last two weeks, hitting as many as half a million spamming SMSs a day.

Security firm Lookout says it’s discovered instances on all the major carrier networks in the US, and warns that users may experience lower speeds as well as higher bills.

“Compared with PC botnets this was an unsophisticated attack. However, this sort of attack changes the economics of SMS spam, as the spammer no longer has to pay for the messages that are sent if he can use a botnet to cover his costs,” says Conway.

“Now that we know it can be done, we can expect to see more more complex attacks that are harder to take down.”