RuMMS Android Malware Attacks via SMS Spam, Steals Money from Bank Accounts-Attacking users in Russia
To infect the potential victims, the malicious actors send them SMS texts containing links in the form of hxxp://yyyyyyyy[.]XXXX.ru/mms.apk, which is why FireEye has given the malware the name of “RuMMS.” The people who click on those links then become infected by the malware.
Sends only a simple SMS that lures the victim onto a website, with the promise of seeing a recent MMS message he received from a friend. The website asks the user to download an app to view the MMS, which in fact is the RuMMS malware. This app asks for admin privileges when installing, which most users tend to give. Once this happens, the malware’s first actions are hiding its icons from view, starting collecting data about each victim, and sending it to a C&C server.
Once installed, the malware requests device administrator privileges. Then, it starts running in the background, performing the following malicious actions:
1. Sending device information to a remote command and control (C2) server.
2. Contacting the C2 server for instructions.
3. Sending SMS messages to financial institutions to query account balances.
4. Uploading any incoming SMS messages (including the balance inquiry results) to the remote C2 server.
5. Sending C2-specified SMS messages to phone numbers in the victim’s contacts.
6. Forward incoming phone calls to intercept voice-based two-factor authentication.
From this point on, the malware will start acting as a fully-fledged banking trojan. RuMMS will query various online services to see if the user has bank accounts, and will try to authenticate using the data found on the device. The trojan is capable of intercepting SMS and voice-based two-factor authentication mechanisms, allowing it to pass through the best security measures banks can deploy.
Researchers said that during their investigations, RuMMS never stole more than 600 Ruble ($9 / €8) from victims. Taking small sums allows the attacker to hide the money among a user’s regular credit card transactions, which are usually about the same size.
In order to spread to as many devices as possible, RuMMS will also carry out one last operation, and that’s to access the victim’s contacts list and send out mass SMS messages, with the same spam message the victim received earlier.
This dirty trick ensures that the crooks behind this operations don’t have to rely on their own data banks to infect users, and will count on the malware self-propagating, just like a classic worm virus. At the time of writing, FireEye says they’ve detected around 300 different versions of the malware, and that all domains where the malicious APK was once hosted are now clean and harmless.
Smishing (SMS phishing) offers a unique vector to infect mobile users. The recent RuMMS campaign shows that Smishing is still a popular means for threat actors to distribute their malware. SO be careful when responding to SMS on your mobile phones.