Android Text Message Worm ‘Selfmite’ Is Back Again

A lot of smart Android users know better than to click malicious links in apps and browsers.

But when it comes in the form of a text message from a trusted contact, the case is different.

The Android text message worm called ‘Selfmite.b’ is back: it spreads by texting every contact name in the list of an unsuspecting user.

Android Text Message Worm ‘Selfmite’ Is Back Again

IT security firm AdaptiveMobile informed the worm first made way in June. Its latest version, Selfmite.b, has infected several more users than before, and it is using several techniques to take money from victims, and is ‘difficult to stop.’

Till now, 150,000 messages have been tracked as sent by the worm in the last 10 days in 16 nations: a 100X more than the number of messages sent by the previous version of the malware.

In the previous version, Selfmite infected a victim’s phone if they clicked on a link in a text message saying ‘Hey, try it, its very fine’ and ‘Hi buddy, try this, its amazing you know’. Opening the link installs an APK file on the handset: a Trojanized Google Play application carrying the worm. This worm then connects to a remote server and downloads a configuration file holding data that is used to spread the malware.

Whereas the older version of the worm infected only 20 contacts in an address book of a victim, the latest version sends a message to the entire contact list until a mobile operator discovers a problem and blocks the sending of texts. The worm utilizes multiple ‘touch points’ to convince victims to take actions that make cash for the hackers.

Users are then redirected to a Google Play application after they click on the installed icon, or click on icons placed on their homescreen, which redirects them to unsolicited websites prompting subscription. The worm manipulates content according to IP addresses of users in different countries; a user in Canada sees a different website than a user in the United States.

At the moment, only Android users are infected. iOS users aren’t at a risk of infection, but clicking on the link redirects them to a fitness app in App Store. AdaptiveMobile’s security analyst Denis Maslennikov said the latest version has more self-propagating abilities, which means it can target more victims. Also, it is using multiple links to engage users, which is increasing its potential for monetization. The added level of complexity makes Selfmite.b a real threat to both users and mobile carriers.

The authors of the worm, though still using shortened URLs in text messages, generated links with Go Daddy’s service, and specified URLs in a configuration file that is downloaded periodically by the worm from a third-party server.

End-user protection against Selfmite worm

The first and perhaps the best option to protect your device and important data is to install android security software that guards against identify theft and viruses. Android antivirus solutions can secure your data and protect your device against viruses and worms like Selfmite as well as block dangerous and fraudulent websites; this can be a good way to protect your device from becoming a source of monetization for hackers.

Secondly, the distribution system of Selfmite.b worm does not utilize exploits and mostly relies on social engineering, which means users have to click on the spammy links and manually install the downloaded APK for their devices to be infected. So avoiding links in text messages, regardless of who the message is from, can be a great safety measure.

The success rate of the attack can also be limited by configuring your device in a way that it blocks installation of apps from unknown sources, which is not the default setting in most Android devices. This step may not be able to safeguard against the Selfmite worm, but would prevent your device against future worms surfacing from apps that are downloaded outside of Google Play.


Leave a Reply

Your email address will not be published. Required fields are marked *