Analyst: SMS relay malware can spy on android phones

A new malware affecting mobile devices running Google’s Android operating system can be used to spy on the affected device’s owner, a computer security firm warned over the weekend. Trend Micro threats analyst Mark Balanza said the spy function is one of three possible functions for the malware, the other two involving abusing premium services and being an SMS relay. “It can be used to spy on the targeted device. The malware author can set a specific number. Once an SMS message is received from that number, the SMS body is uploaded to its server," Balanza said in a blog post. Balanza said the malware may also be used for premium services where the author can command the backdoor to enroll the affected device on a specified premium service. He said the user will not have any idea that the device has already been enrolled because the SMS notifications from the said service are also deleted by the malware. A third possible motive is serving as SMS relay like a proxy server for SMS. “The malware author can send and receive SMS messages through the affected device," he said. In the blog post, Balanza said the malware displays a blank window for a split second and then close it immediately after it is installed. The malware installs a service called “FlashService" and uses two receivers called “FlashReceiver" and “SMSReceiver" which are triggered after boot up and when an SMS is received, respectively. “FlashService" service is responsible for communicating with its server. It executes once the device boots up, and connects to a certain URL to download an XML configuration file. To check if one’s device is infected, an Android device owner should go to Settings>Applications>Running Services and check for an application with “FlashService" as its service, and “com.flashp" as its process. If found, users can manually remove the malware from their system by going to Settings>Applications>Manage Applications, and then uninstall the said application. Trend Micro’s software detects the malware as ANDROIDOS_CRUSEWIN.A. — LBG, GMA News