There has been a lot of discussion regarding the impact of the Internet, social media, and even the availability of cheap cell phones on the uprisings in the Middle East. Three major themes from 2011 – mobile malware, hacktivism and the “Arab Spring” – have converged in a new threat dubbed Android. Arspam by Symantec. Based on our research, the malicious version was only distributed through forums focusing on Middle Eastern issues, utilizing the open nature of Android operating platforms to grow and spread the attack by means of ‘Hacktivism.’
Hacktivism is based on an activist agenda where there may be no visible monetary gain by the instigator. Instead the overall goal is to send a message or get a point across. Even though, on occasion, the message may be something many will sympathize with, this doesn’t mean it’s a victimless crime. In many cases, the cost of getting an agenda across may involve using resources, even people without consent.
“The Middle East has undoubtedly seen a rise in hacktivism and cybercrime in 2011, not only is it an emerging market that has great financial appeal for cybercriminals but the region plays host to an increasingly connected and mobile online community that offers great scope for those looking to exploit these devices to reach a wider audience. The ‘Arab Spring’ is just one of many trending topics that are attracting a higher volume of online traffic which is essentially where the low hanging fruits lie,” Bulent Teksoz, Chief Security Strategist, Emerging Markets, Symantec, said.
“In a way, this threat is a testament to the rise of Hacktisivm. Attacks like Android.Arspam further offer Hacktivists and cybercriminals targeting this region an opportunity to test and develop their methods. It is of crucial importance that individuals and organizations secure themselves across all devices as these ‘gateway’ threats become more sophisticated and potentially harmful.”
The Android.Arspam Trojan was embedded into a pirated, popular Islamic compass app. The official version of the app, available on the Android Market, is not affected and, as the screenshot indicates, this pirated app contains expanded permissions beyond what is requested from the official one.
After the installation of the app, the code goes to work on device start up, silently working in the background as a service called “alArabiyyah”. It randomly picks one link from a list of eighteen and then sends out an SMS message to every contact in the address book of the compromised device, sending them a link to a forum site. Each forum site has identical content and appears to be a tribute to Mohamed Bouaziz.