Doctor Web: New Trojan
for Android can mount DDoS attacks
December 31, 2012
Russian anti-virus vendor Doctor Web warns Internet users about a new
malicious program for Android. TheAndroid.DDoS.1.origin can carry out
DDoS-attacks on various internet resources and send short messages upon
a corresponding command from criminals.
After installation, Android.DDoS.1.origin creates an application icon,
similar to that of Google Play. If the user decides to use the fake icon
to access Google Play, the original application will be launched, which
significantly reduces the risk of any suspicion.
When launched, the Trojan tries to
connect to a remote server and, if successful, it transmits the phone
number of the compromised device to criminals and then waits for further
SMS commands. Supported directives include attack a specified server and
send SMS. If criminals want the Trojan to attack a server, a command
message will contain the parameter [server:port]. Upon receipt of such a
command Android.DDoS.1.origin starts to send data packets at the
specified address. If the malicious program is required to send an SMS,
the command message will contain the message text and the number to
which it should be sent. Activities of the Trojan can lower performance
of the infected handset and affect the well-being of its owner, as
access to the Internet and SMS are chargeable services. Should the
device send messages to premium numbers, malicious activities will cost
the user even more.
is not quite clear yet how the Trojan spreads but most probably
criminals employ social engineering tricks and disguise the malware as a
legitimate application from Google.
It is worth noting that the code of Android.DDoS.1.origin is heavily
obfuscated. Given that the Trojan can carry out attacks on web sites and
send various text messages to any number, including those of content
providers, we can assume that the malware can also be used to conduct
illegal activities for third parties (e.g, attack a competitor's site,
promote products with SMS or subscribe users to chargeable services by
sending SMS to short numbers).
Doctor Web's virus analysts continue to examine Android.DDoS.1.origin.
Devices running Dr.Web products for Android are well protected from this