Dell SecureWorks Counter Threat Unit (CTU) has discovered a new Android Trojan Horse called Stels. One of its main purposes is to steal text messages; these messages may include Mobile Transaction Authentication Numbers (mTAN Numbers) used in Two-Factor Authentication for Mobile and Wire Bank Transfers. The Stels malware can also harvest a victim's contact list, send and intercept Text Messages, makes phone calls (including calls to Premium, expensive numbers), and install additional malware packages.
The Android malware is being spread via spam campaigns using malicious emails pretending to be from the Internal Revenue Service (IRS) via the Cutwail Botnet. The spam usually entices users into clicking on links that redirect to the infamous Blackhole exploit kit, which looks for holes/vulnerabilities, in the users' web browsers and plugins on the Windows operating system. However, because the Blackhole exploit kit is currently unable to exploit an Android device, the attackers are using a fake Adobe Flash Player update to trick victims into downloading and executing the Android Trojan.
As of last week, Dell SecureWorks ran it through 10 of the Major Mobile AntiVirus Programs for Android and there was 0 detection. The company also ran it through 44 antivirus product in VirusTotal on March 12 and there was 0 detection.
How to Protect from the Stels Android Trojan
* Do not allow installation of applications that are not distributed through the official Google Play marketplace on the device.
* Prior to installing applications on an Android device, be wary of the application-level permissions an application requests.
* Be critical of applications that request sensitive permissions such as INTERNET and READ_LOGS.
* Educate end users on the threats posed by attachments and links contained in SMS, EMAILS, and INSTANT MESSAGES.