Android Trojan Waller Sends Premium SMSs, Steals Money from QIWI Wallets

Cybercriminals target QIWI Wallet users

SMS.AndroidOS.Waller.a is a piece of Android malware that’s designed to help cybercriminals make money in a couple of ways: by sending SMSs to premium-rate numbers and by stealing funds from QIWI wallets.

Experts from Kaspersky have analyzed the threat and have found that in addition to sending SMSs, it’s also designed to target the wallets of QIWI users. It’s worth noting that the Visa QIWI Wallet Android app, which allows users to make and receive payments and transfer money, has been downloaded by a total of between 1 and 5 million users.

After it infects a smartphone, Waller contacts its command and control (C&C) server located at Experts say the domain’s registrant is a French company, but the email account is with Yandex, a Russian company.

The C&C server can order the Trojan to check the balance of a QIWI account, send SMSs, open arbitrary web pages, download and install other malware, intercept text messages, and send spam to the victim’s contact list. The threat is also capable of updating itself.

In order to check the balance in the WIQI Wallet, the malware sends an SMS to 7494. The response message is intercepted and forwarded to the cybercriminals.

If there is money in the digital wallet, the cybercrooks can steal it by sending a message to 7494 with the wallet number they want to transfer funds to along with the amount they want to transfer. Kaspersky says fraudsters can steal up to $430 (€313) per day from compromised wallets.

Sending SMS messages to premium rate numbers is an efficient way for cybercriminals to make money. However, the scheme doesn’t work in every country. This is why they’ve designed their Trojan to target QIWI wallets.

QIWI is mainly used in Russia, but the service is also available in the US, Romania, Brazil, Belarus, Kazakhstan, Moldova and Jordan.

Currently, not too many Waller infections have been spotted in the wild, but experts say cybercriminals are increasingly relying on this piece of malware to make money.

The threat is being distributed via SMS spam, and on third-party app stores disguised as various types of applications, including media players, voice-changing software and even firmware.

In order to avoid having their phones infected with Waller, users are advised not to activate “developer mode” or the “install applications form third-party sources” options on their smartphones.

In addition, users are advised to install antivirus software on their devices, and only download apps from trusted sources.


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s