A malicious application that can steal cash via phones running Google's Android
operating system has been found.
The program poses as a media player but once installed starts sending premium
rate text messages.
The service being sent messages is operated by the malicious app's creator, who
scoops up the fees.
Discovered by Kaspersky Labs, it is believed to be the first booby-trapped
application for Android.
In a security advisory Kaspersky said that the fake media player was most
prevalent among Russian Android users. The risk to Android owners worldwide is
believed to be low.
'Trusted model'
In its advisory it said that the huge growth in the number of Android
applications was likely to make the phones tempting targets for criminals.
"We can expect to see a corresponding rise in the amount of malware targeting
that platform," said Denis Maslennikov, mobile research group manager at the
firm.
Simeon Coney, spokesman for mobile security firm AdaptiveMobile said
booby-trapped applications that run up big bills via premium rate numbers were
very common on other platforms such as Symbian.
Symbian is the most popular smartphone operating system, commonly used on
handsets built by Nokia and Sony Ericsson.
"There are a significant number of Java based mobile viruses that do exactly
the same malicious activity of sending out premium rate (i.e. reverse charge)
SMS," he said.
Like other mobile application stores, Google has a system in place that can
revoke malicious applications and stop them running on handsets.
"Our application permissions model protects against this type of threat," said
a spokesperson for Google.
"When installing an application, users see a screen that explains clearly what
information and system resources the application has permission to access, such
as a user's phone number or sending an SMS.
"Users must explicitly approve this access in order to continue with the
installation, and they may uninstall applications at any time.
The spokesperson said the firm advises users to "only install apps they trust".
"In particular, users should exercise caution when installing applications
outside of Android Market."