SMS seems like an old-school way to carry out a hack but it is still a very valid attack vector today. Wandera has identified a bitly URL shortener that prompts the user to download a malicious Android messaging app. It looks like Android’s default messaging app to the user but it’s actually a type of spyware.

The Ananto spyware is designed to transmit every SMS received on the device. A copy of these messages is sent back to a command and control server (C&C).

How does it happen?

We suspect the bitly link is spread through email and social media. For example, it might be sent in an email that looks familiar or friendly, tempting the user to click through. This is an easy trap to fall into since you can rarely tell where a bitly link goes to and they are widely trusted.
Once the link is clicked and the user opts to install the application the following screen is displayed which asks for “device admin” privileges.
Immediately after the installation, the default “MMS Messaging” icon in Android menu disappears.
Because the application appears to replace Android’s default messaging app it’s unlikely the user will notice anything suspicious.

What is being exposed?

Users affected by the malicious application are exposing the following information:

  • Android Version
  • Device Model
  • List of applications installed
  • Mobile Network Code
  • Country
  • SMS (Content + Sender’s phone number)

This has serious security implications when you think about the sensitive information that is sometimes sent SMS. For example, two-factor authentication codes are often sent to users by banks and other services handling highly sensitive and private information.  
We suspect this attack may be used as part of a wider hack, stealing two-factor authentication keys in tandem with other techniques to access online banking, for example.

To see more, read our post on Zero-Day iPhone Hacks: New Vulnerabilities and Why They Matter

To make matters worse, the C&C connection does not use encryption, meaning it also exposes the stolen information to any third party hacker that may be intercepting traffic as well.


What can you do?

Uninstalling the spyware is extremely difficult and requires extensive technical knowledge so obviously prevention is the best remedy.
A number of customers in our global network including a big name in the payments industry have already been exposed to the URL.
For end users, we recommend these precautions:

  • Do not install apps from third-party websites
  • Check your security settings to ensure the option “Allow installation of applications from both trusted and unknown sources” is opted out
  • Before clicking on a URL shortener, try to preview it first by appending ‘+’ sign at the end i.e

Our recommendation is for businesses to have an active mobile security service deployed. These technologies should have filtering and blocking functionality that happens at the data level to block traffic to suspicious URLs like Ananto.
Read the full Threat Advisory
[text-blocks id=”3610″]