McAfee researchers recently came across a new variant of the Android/Smsilence malware that poses as a Vertu uprade/theme for Japanese and Korean users.
Upon installation, the malware displays a loading screen while it registers the device's phone number with an external server, then it installs a filter on the device so that all incoming messages are forwarded to the same external server. The malware is also capable of downloading additional spyware to the infected device. Ultimately, the loading screen switches to a statement indicating that the service was unavailable.
This is one of many guises being used to deliver Android/Smsilence, according to McAfee. "Despite a lack of sophistication compared with other mobile botnets, Android/Smsilence was still able to infect between 50,000 to 60,000 mobile users, according to our analysis," writes McAfee's Irfan Asrar.
There's one other aspect of the malware that's unquestionably unique. "[W]e discovered a file inside the malware that changes the package hash; that’s an evasive technique dubbed server-side polymorphism, and attempts to avoid detections by antimalware vendors," Asrar writes. "But it was not the technique that was confusing, even though this is the first time we have seen this technique used outside of an Eastern European threat family. The chosen file, the key component in the evasion technique, was a picture of London Mayor Boris Johnson."