According to security firm Dell (SecureWorks Counter Threat Unit, STU), Cutwail botnet that spreads banking Trojan Zeus is currently trying to infect machines with new Trojan – Stels, which infects systems based of OS Android. The malicious program is downloaded to the devices posing as update for Adobe Flash Player.
Attackers also created a version for systems based on other platforms. Malicious links are opened in web-browsers on desktop PCs or laptops and lead users to webpage containing Blackhole exploits.
STU researchers analyzed Stels sample and found following specs:
- Filename: flashplayer.android.update.apk
- MD5: b226a66a2796e922302b96ae81540d5c
- SHA1: 670503ed863397d64bfe24ca0940be9c23682ae4
Trojan is distributed as follows: the user receives an email allegedly sent by U.S. Internal Revenue Service. When clicking on the link contained in the message a PHP script defines whether the devise is based on Android or not. If the system uses Android then the user is prompted to install an update for Flash Player. In turn, installation is possible when enabling “Unknown Sources (Allow installation of non-Market applications)” option. After receiving permission Trojan is downloaded to the system, then Stels downloads backdoors and other malware.
If the victim is using the Microsoft Internet Explorer, Mozilla Firefox, or Opera web browser, then the PHP script displays a fake IRS website. The next step is using outdated browser plugins to infect the system.
Stels gains access to the user’s contact list and grants attackers with possibility to send premium text messages and make phone calls. However, according to security expert, the Trojan can’t access Android’s core. Moreover, fake update for Adobe Flash Player is identified as being active. Users should be aware that Appname appears only in cases of, malicious program being downloaded.