A malicious Android Trojan, which can start calls through the Google Talk feature on Android phones, has been discovered. The malware which is codenamed Android/Trojan.Pawost is known to be stored in a stopwatch app and then uses the Google Talk feature to place various calls to unregistered numbers from the phone.
The Android Trojan starts doing its work as soon as users have installed a stopwatch app. After installation, the app begins to show a Google Talk icon straight on the smartphone’s notification area. There will be no accompanying text on this icon, and as such the notification should be a sign to users that there is something fishy going on behind the scenes. Therefore, when users see the sign, they should immediately uninstall the app as soon as possible.
If the app is left there, after several minutes, it will start to make calls to unknown and unregistered numbers through the Google Talk application. When Pawost is making all these anonymous calls, the screen will be entirely off but in the background, the CPU is alive and is working.
The puzzling thing about the calls is that they ate all directed to invalid numbers and all the numbers which are called start with the same sequence which is 1-259. If you leave the US prefix out, the number will not lead to any vid numbers. The area code itself, 259, is not assigned to any number in the US, which shows that the campaign might not be targeting any American numbers.
The app which brings the Pawost malware has a Chinese interface. Therefore, the researchers tried inputting the Chinese prefix, +86 and the other part of the numbers which led to a connection with valid numbers. All the numbers, however, were busy. It was clear then that the campaign was for Chinese users.
Other capabilities which Pawost carries are that it has spying abilities. It is possible for the malware to collect data such as IMSI codes, IMEI numbers, CCID identifiers, and any phone numbers, some of the version details and also compile a list of some of the apps which are installed on the device.
After harvesting the data, Pawost then encrypts it and sends it to a remote server. The Trojan is also capable of sending messages and blocking incoming ones. The researchers at Malwarebytes said they had discovered this functionality only later and not during any of their tests.
By the look of things at the moment, Pawost is an Android Trojan that is aimed at Chinese users and might be helping the crooks to make money after making calls to premium subscribers.