New Android Trojan likely developed by arrested cyber crooks
The alleged authors of Foncy, a premium rate SMS Trojan that targeted users from a number of European Countries and Canada, have been arrested and indicted in February in France. Since then, the malware hasn’t received any updates, and is considered to be effectively dead.
But another SMS Trojan that popped up a month before the alleged criminals’ indictment and is, according to Kaspersky Lab experts, related to Foncy is still doing rounds.
Variants of this SMS Trojan – dubbed “Mania” – have been popping up since January, and are currently targeting only French Android users.
The Trojan seems to be spreading via file sharing sites, and masquerades as a number of popular Android apps such as Kaspersky Mobile Security, PhoneLocator Pro, CoPilot Live Europe, and many others.
Once launched, the Trojan immediately sends an SMS to a French premium rate number. While doing this it continues to pretend to be a legitimate app and ostensibly does some “license checking”:
“All malicious actions above are contained in the {application name}Acitivity.class file. But there is also a Machine.class file which contains functionality that is absolutely the same as it was in the SMSReceiver.classi3 file in the Foncy Trojan: sending an SMS message to a French cell phone number with the text taken from a reply from the premium rate number 84242,” Denis Maslennikov points out, and posits that Mania was likely created by the authors of Foncy, but sold or given to other cyber crooks before their arrest.