Take a hot shower and your bathroom mirror will get all fogged up; download a compromised Android app and you will get steamed. A rogue version of Steamy Window Android app can install other apps, surf to sites, add bookmarks to the browser, and hijack text messaging abilities which can run up a big texting bill.
Both the legitimate and infected versions of Steamy Window can mimic a steamy effect on Android screens which you then can wipe off with your fingers. This hot app got a whole lot hotter after Chinese hackers injected a backdoor Trojan in a legitimate Steamy Window app and then re-released it into the wild.
Cybercriminals modified the free Steamy Window Android app with "Android.Pjapps." It is spreading via third-party Android app sites which are unregulated by Google. Symantec said the aim of the malicious app is to build a botnet. When the signal strength of an infected Android changes, the Trojanized version of the app attempts to connect to Command and Control.
Like other malicious apps described previously by F-Secure's Mike Hypponen in a Black Hat presentation called, "You will be billed $90,000 for this call," the infected Steamy Window app sends text messages to premium rate phone numbers from which hackers can make commissions.
According to Symantec, the malicious version of Steamy Window "is able to install applications, navigate to websites, add bookmarks to your browser, send text messages, and optionally block text message responses." Infected versions of the app will monitor text messages and block SMS alerts from your carrier with warnings that you have exceeded your text quota. The resulting high texting bill would then come as a very unpleasant shock.
Since the app runs in the background, it can be difficult to determine if a user has a legitimate or malicious Steamy Window app after installation. The trick is to pay attention while the app is installing, since the malicious app will ask for excessive permissions.
The Android Marketplace has a Trojan-free version of Steamy Window which was created by the developers Swiss Codemonkeys. Hackers tweaking legitimate apps to carry Trojans is not a new idea and smartphones will continue to be targeted for mobile malware. Fortinet warned that 2011 would see an increase of cybercriminals recycling code and creating copy and paste malware.
NetQin Mobile reported capturing two new spyware programs which are circulating in the U.S. to infect Android smartphones. There are no icons after installation, so users may not be aware the spyware was installed. "SW.SecurePhone" and "SW.Qieting" spyware can cause "serious privacy leakage." SW.SecurePhone collects info from the SD card. "The data, including messages, call log, location of the phone, recorded sounds around the phone and pictures in the phone, will then be uploaded to a remote server every 20 minutes." SW.Qieting forwards the messages on infected Android phones. NetQin stressed the importance of monitoring all permission requests while installing any application to be sure the app does not exceed requests for more than what it claims are app features.