Reply to comment

Android Trojan using SMS and email from user's Address book

My Girlfriend got the following SMS messages on her Android phone (HTC EVO on Sprint)

From December 11, 2012 she is pretty sure she followed this one:

My name is Chris. You mobile is on the third place. Your X-mas code for http://[redacted] is 5473

She may or may not have followed the link in this one:
From December 6, 2012

Your contact last day has WON! Visit http://[redacted]/?3968, put your code 3968 to recive card within 24hours.

I thought it might be this: Android Trojan Used To Create Simple SMS Spam Botnet

or this: Android Trojan Can Partake in DDoS Attacks, Send SMS Spam

Then, today her phone emailed and SMSed many messages[1] with a URL to many of her contacts, presumably from her phone's address book. The software used in the trojan Cloudmark identified is known as SpamSoldier. SpamSoldier apparently downloads a list of address from a command and control server in order to spread, which is obviously different than the address book used by the trojan on my girlfriend's phone. This doesn't match the SpamSoldier signature. Additionally I couldn't find any of the apk file names listed by Cloudmark on her phone.

The second trojan I linked to is named Android.DDoS.1.origin and I couldn't find this on her phone either. If anyone has any more information let me know via email: 'johnbrier' at the popular google email service.. I'll update here as I find more info.

An example of one of the messages received over email is the following:



  • Web page addresses and e-mail addresses turn into links automatically.
  • Allowed HTML tags: <a> <em> <strong> <cite> <code> <ul> <ol> <li> <dl> <dt> <dd>
  • Lines and paragraphs break automatically.

More information about formatting options