A new Android spam botnet has been discovered that uses infected phones to send thousands of SMS messages without the user’s permission. While the threat is not (yet) widespread, it has already been spotted on all major US carriers and has the potential to make a big impact at the network level if it isn’t dealt with soon.

On December 3, security firm Lookout detected the threat, which it dubbed SpamSoldier, in cooperation with one of its unnamed carrier partners. It spreads through SMS messages (it has not yet been detected on any major app stores) that advertise free versions of popular paid games like Angry Birds Space.

There are a number of different active spam campaigns; here are two:

You’ve just won a $1000 Target gift card but only the 1st 1000 people that enter code 7777 at hxxp://holyoffers.com can claim it!
Download Grand Theft Auto 3 & Need for Speed Most Wanted for Android phones for free at hxxp://trendingoffers.com for next 24hrs only!

After the user taps on a link from one of these SMS messages, their phone downloads an app that claims to install the game. Instead, SpamSoldier opens and removes its icon from the launcher to cover its tracks. It then immediately starts sending spam messages.

SpamSoldier also attempts to keep the user in the dark by hiding evidence of its malicious activity. It also installs a free version of the game in question to keep users unaware of what is really happening. Furthermore, outgoing spam messages are removed from the list and the malware even attempts to intercept incoming SMS replies to the spam it sends.

The app connects to a remote Command & Control (C&C) server to receive its instructions: the SMS spam message and a list of 100 US phone numbers to spam. It then churns through the list as fast as the device allows, and once it finishes, calls home to get a new list of 100 numbers. It only stops when the C&C either doesn’t respond or the app is closed.

While the distribution of this malware is limited, Lookout says the potential impact to mobile networks “may be significant if the threat goes undetected for a long period of time.” Carriers likely won’t enjoy the large amount of SMS messages sent if it causes a slowdown, butthe user could lose out even more if he or she is charged for many of them. We think this is likely just a test for creating a much more effective Android botnet; spam is usually a good way for cybercriminals to start before developing something more advanced.

To protect yourself, Lookout recommends that you only download apps from reputable app stores and check that the developer is credible before downloading. In other words, never click on links in text messages.

Image credit: Alexander Sperl