Mobile malware has moved from the security vendor testing labs, out of the realms of marketing hype and FUD, and firmly onto your smartphone. The main target for the malware distributors would appear to be the Android platform, which is not surprising given the rapid growth in the userbase coupled to the 'open to all' nature of the Android app marketplace.

Up until now, the usual method of monetizing Android malware had been to subscribe to premium SMS text message services owned by affiliates of the cyber-criminals. Other than this, monetization of malware on the smartphone platform had been rather difficult. Data can be stolen, but has not proven to be deemed as particularly valuable in the dark markets where such information is traded. It should come as no surprise, as users and security vendors alike start to wise up to the SMS dialling scams, that the bad guys should look to come up with something new.

And something new is exactly what has emerged in the MMarketPay.A Trojan which is currently circulating throughout the Chinese online Android markets. According to G Data Security Labs experts who discovered the malware, it is concealed within fake versions of apps such as the E-Strong File Explorer, GO Weather and Travel Sky. It would seem, for now at least, that only users in China are actively at risk, but that could change soon enough as other groups jump on the new mobile malware monetization bandwagon.

So what does MMarketPay.A actually do to make money then? It rather cleverly accesses the China Mobile Android app store to download and install paid apps and more malware. I say cleverly, as the Trojan will change the Access Point Name (used for system updates) on the smartphone to connect to the China Mobile service provider where the confirmation message gets intercepted. This enables the malware to access the app store there without logging in, and purchase and automatically install whatever it wants all at the expense of the unwitting user.

In the meantime, our Chinese members are advised to check their phone bills very carefully for any unexpected payment activity.

About the Author

As Editorial Director and Managing Analyst with IT Security Thing I am putting more than two decades of consulting experience into providing opinionated insight regarding the security threat landscape for IT security professionals. As an Editorial Fellow with Dennis Publishing, I bring more than two decades of writing experience across the technology industry into publications such as Alphr, IT Pro and (in good old fashioned print) PC Pro. I also write for SC Magazine UK and Infosecurity, as well as The Times and Sunday Times newspapers. Along the way I have been honoured with a Technology Journalist of the Year award, and three Information Security Journalist of the Year awards. Most humbling, though, was the Enigma Award for 'lifetime contribution to IT security journalism' bestowed on me in 2011.

It seems that the platform itself is to blame for the ease with which such attacks can be performed? In which case, where's the liability if someone gets stuck with such unauthorised bills I wonder? (Thinking more in the West than China)

I'm all for the belief in open "no red tape" structure in application distribution, so long as it isn't manipulated. However that never seems to be the case. So many Android "fanboys" gawk at Apple's super closed structure, rules and obviously the pay cuts they take. However for all this "Red-tape" also comes an extra layer of security. Google seems to use its "open" structure as an excuse to not have to spend time more importantly money on checking the integrity of the applications on its marketplace.

And to answer pfeltham1's question, no one is considered liable except the user themselves. The lack of red tape not only means no security it also means no liability. Google won't be held responsible and neither will the developer, as they can both say its upon the user themselves to take responsiblity for the decision to download such an application.

While im sure a few people will say, its no different on a pc, with any program you download from any website. And those people who get attacked deserved it.. cause they werent smart enough to do research. And yes I wont deny this is just how the normal internet works (its just like the wild west).

However phones arent the exact same as computers. Users on their pc's choose exactly how much they want their pc to store of them. They dont have to put in their first or last names, their credit cards, or any other bit of their personal information. However with smart phones thats not the case. When you sign up with a provider, much of the personal information your provider has on you is stored in the sim card. This is something we almost never have a choice over. And these applications whether its intentions are malicous or not, have access to this information. (Yes I am aware Apple by default makes all Apps take all that information)

And lets be honset when we are on the go we are less concerned about security issues then we are at home. No one wants to spend an hour researching an app they plan on spending no more then 5 minutes at a time playing. Especially when money is involved.

To clear the air I own Samsung Galaxy S II, its an Android phone and for the most part I love it. I also own an Ipod Touch 3G (which all my music is on). I have experienced the best of both worlds. And see there are positives to both stores and negatives to both. However when it comes to customer peace of mind, I feel its best kept on Apples App store more so then Google Play Store. And should be the first choice for those especially not tech savvy. At least until Google puts some Armor on its walls.
(Not to mention the fact the Play Store Is overflowing with "premium" games I played for free on newgrounds like 10 years ago with their names changed (how clever)).

Thanks for the considered reply. Google's stance is not compliant with common sense. Do No Harm? I don't think so.

Your welcome, and to add more my past post (and make it more relevent to the inital point of this conversation) this is nothing new in the Google Play store. People are being victimized by "trojans" just like 'MMarketPay.A' everyday! Its even happen to me!!! I am proud to say at least It wasnt because I was fooled by a phony app prentending to be Angry Birds. It was an n64 emulator, I heard a lot of good things about. I'm just grateful I never stored my credit card information on my phone. However I'm sure they grabbed some of my information to sell, and they put quite a few other garbagy apps on my phone. It be nice to see Google somehow make a hybrid standard, that offers the security we all deserve but doesnt try to take a % of our profits.

The android market is getting bigger and bigger everyday and I am learning something newer each and every moment. I think this android world is just going to get bigger every year.