SECURITY FIRM Malwarebytes has warned people who download rogue apps that they can expect to fall into an insecurity trap.
The firm said that SMS Trojans are some of the most prevalent malicious apps, and warned that some can charge people as much as $10 for every crappy message that they send or receive.
Jerome Segura, senior security researcher at Malwarebytes has traced one particularly onerous one back to a fake Skype application. Segura said that the bad app makes its living mostly in Eastern Europe, but can be turned onto any kind of software.
"We navigate to a site pushing a fake Skype update for Android phones (and tablets). We proceed to download the app which is fairly big in size, but is within what we would expect for Skype anyway," he said.
The firm reverse engineered the app and has pulled it apart. It found some modules that relate to Skype but some others that are not documented in Skype's SDK for Android.
"The code is well-structured and each class is named appropriately, quite different when we compare it to malicious Java applets used in exploit kits where everything is obfuscated and encrypted," he said.
"What we have here is the backbone for an SMS Trojan that can - among other things - automatically send costly (premium) SMS messages while running silently in the background."
The app can send a premium SMS message every ten minutes, which sounds costly. Perhaps worse it has been engineered so that it will hide warnings about high cost messages from the user. Other features include logging of phone activity and storing it somewhere.
"The Android operating system comes with certain safeguards and given the current malware landscape it is a very good idea to make sure they are enabled," said Segura.
"The rule of thumb is that you should avoid installing any app that is not in the Play Store. Right there it will dramatically reduce your chances of getting infected." µ