SMS.AndroidOS.Waller.a is a piece of Android malware that’s designed to help cybercriminals make money in a couple of ways: by sending SMSs to premium-rate numbers and by stealing funds from QIWI wallets.
Experts from have analyzed the threat and have found that in addition to sending SMSs, it’s also designed to target the wallets of QIWI users. It’s worth noting that the Visa QIWI Wallet , which allows users to make and receive payments and transfer money, has been downloaded by a total of between 1 and 5 million users.
After it infects a smartphone, Waller its command and control (C&C) server located at playerhome.info. Experts say the domain’s registrant is a French company, but the email account is with Yandex, a Russian company.
The C&C server can order the Trojan to check the balance of a QIWI account, send SMSs, open arbitrary web pages, download and install other malware, intercept text messages, and send spam to the victim’s contact list. The threat is also capable of updating itself.
In order to check the balance in the WIQI Wallet, the malware sends an SMS to 7494. The response message is intercepted and forwarded to the cybercriminals.
If there is money in the digital wallet, the cybercrooks can steal it by sending a message to 7494 with the wallet number they want to transfer funds to along with the amount they want to transfer. Kaspersky says fraudsters can steal up to $430 (€313) per day from compromised wallets.
Sending SMS messages to premium rate numbers is an efficient way for cybercriminals to make money. However, the scheme doesn’t work in every country. This is why they’ve designed their Trojan to target QIWI wallets.
Currently, not too many Waller infections have been spotted in the wild, but experts say cybercriminals are increasingly relying on this piece of malware to make money.