If you use an Android phone, be on the lookout for a new malware app that can rack up thousands of dollars in charges on your cell phone bill without you even knowing about it.
This app is a new kind of threat, one that spreads itself via a slightly altered version of a popular app called “Steamy Window.” Steamy Window is a simple app that turns your Android phone into a virtual “shower door,” allowing you to use your finger to wipe off the steam and see your homescreens underneath. However, the malicious Steamy Window can do a lot more: install other malware, add bookmarks to your browser, and even send massive amounts of text messages and then block any responses so you are none the wiser.
Since not everyone has an unlimited text plan, thousands of text messages can create a large bill very quickly, making this one of the nastiest pieces of mobile phone malware that’s gone around. Changing your ringtone to Risk Astley is nothing compared to a thousand-dollar cell phone bill.
Malicious Steamy Window is spreading via unauthorized third-party app marketplaces, so it’s still safe to get this app through the Android Market. Just to be safe, you can double check that the correct version of the app is being installed by verifying the requested permissions when you are installing the app. See the screenshots below and notice the differences:
The malicious app requests permissions to send and receive SMS messages, as well as access your browser’s history and bookmarks. A simple game would never request these permissions, and that should be a red flag right away. Android users should always be checking this permissions screen before installing an app to make sure what they are agreeing to install does not ask for unreasonable permissions. A texting app like Handcent should ask for permission to send texts, a game or novelty app definitely should not.
A press release from Norton on the situation had some tips on security for mobile users:

To avoid becoming a victim of these types of Android applications, Norton recommends users:
  • Only use regulated Android marketplaces for downloading and installing Android apps.
  • During the installation of Android apps, always check the access permissions being requested for installation; if they seem excessive for what the application is designed to do, it would be wise to not install the application.
  • Utilize a mobile security solution on devices to ensure any downloaded apps are not malicious.

This issue just goes to show that smartphones are the new PC’s, and that you should take the same precautions when installing mobile apps as you do when installing apps on Windows or Mac OS.