A new form of Android malware is using Google Talk to call mysterious Chinese phone numbers.
Nathan Collier, a senior malware intelligence analyst at Malwarebytes, explains that the malware “Android/Trojan.Pawost” causes a blank Google Talk icon to pop up in the device’s notification bar as soon as the malicious app is opened.
Some instances of Android malware masquerade as adult video players that install ransomware on unsuspecting users’ devices. Others disguise themselves as games.
In this case, Android/Trojan.Pawost infects a device disguised as a simple stopwatch app.
A couple of minutes after displaying the Google Talk icon, Pawost will begin calling a number with an area code of 259.
Collier explains that the location of phone numbers with this area code is something of a mystery:
“The area code 259 is unassigned to any region in the United States and considered to be invalid. It is also an unassigned area code for the country from which Pawost originates, China. According to computerhope.com, an incoming call from an unassigned area code means the phone number was likely caller ID spoofed; a trick often used by telemarketers/scammers to hide the originating phone number. An outgoing call to an unassigned phone number is a little more unusual.”
The researcher eventually decided to call the number using the country codes +1 (for the United States) and +86 (for China). While many of the phone numbers that used +1 proved invalid, most of the calls that used +86 placed a successful connection, leading Collier to believe that Pawost is a form of malware specific to Chinese users.
Even so, the researcher never spoke with another human being on the other end of the line. Each valid Chinese number produced only a busy signal.
Pawost will place an infected device into a “partial wake lock” whenever it places an outgoing call, which means the screen and keyboard back light turn off even though the CPU remains active. This allows the Android malware to continually place calls to phone numbers with the area code 259, as well as collect information about the device, encrypt it, and send it off to a remote site.
Any user who feels they might be affected by Pawost can terminate the malicious activity by uninstalling the offending app. They can complete that process manually or with the help of a mobile anti-virus app.
Collier also has some additional advice for users:
“When installing any app, always be aware of the permissions being granted before accepting the install. In this case, a stop watch app shouldn’t have a long list of permissions like calling, receiving/sending SMS messages, and other permissions way out of scope of it’s functionality.”
Remember: common sense is your friend when it comes to downloading apps. Ask yourself if the requested permissions make sense based upon the advertised functions of the app. If something doesn’t add up, look for an alternative app with a more reasonable list of permissions.
Found this article interesting? Follow Graham Cluley on Twitter to read more of the exclusive content we post.