We've found Android trojans that attempt to send SMS messages to premium rate SMS numbers. That's not unusual. What is different though is that these trojans don't work.

The trojans (detected as Trojan:Android/RuFailedSMS.A) use these permissions:



And pretend to be installers for a range of applications, with each malicious app offering to download a package (of what is presumably a popular app):



Some of the "offered" applications include:

  •  Add_It_Up
  •  Advanced_Launcher_Lite
  •  AmazingMaze_supLitesup
  •  Analog_Clock_Collection
  •  Animal_Sudoku
  •  AnySoftKeyboard
  •  AnySoftKeyboard_Slovak_Language_Pack
  •  AppInventor_Toggle
  •  Arrow_Caz
  •  Astronomical_Flashlight
  •  BentoCam!
  •  Bimaru_-_Battleship_Sudoku
  •  BlackJack
  •  Carve_a_Pumpkin_supLitesup
  •  Chinese_Chess
  •  Christmas_Ringtones
  •  Coloring_pages
  •  Contact_Finder_supLitesup
  •  Converter
  •  Countdown_Widget
  •  Crayon_Ball
  •  Cyan_aHome_Theme

Fortunately, due to some uncaught exception in the code, the trojan (SHA1: 0d2d3317c6ca1a9812d357741f45af6bb360d89c) doesn't complete its malicious activities — it just crashes and terminates:



We've found over a hundred copies of the trojans, but the large number doesn't make it technically advanced — the copies basically use the same source code, but just re-shuffled into different configurations for the different packages.

The trojans were found on third-party Android markets and targets users in Russia, Belarus, Kazakhstan and Azerbaijan.

Even though these trojans crash and fail, we are still detecting them due to the malicious routines, and also because of large number of copies circulating.

Threat Solutions post by — Jessie