A recently discovered piece of Android malware may be generating thousands of dollars a day for its creator. RootSmart, first documented last week by North Carolina State University professor Xuxian Jiang, is estimated to affect between 10,000 and 30,000 phones on any given day. The malware, mostly found on Chinese phones, works by using GingerBreak, a tool that gives users root access to Android 2.3 Gingerbread. When the malware is downloaded as part of an otherwise legitimate-seeming app on an unofficial Android market, it calls back to a remote server and downloads GingerBreak, escalating its privileges and collecting information from the phone. From there, it can operate as part of a larger botnet, generating money by having phones send messages or make calls to premium telephone numbers.
So far, Symantec says RootSmart almost exclusively generates revenue from customers of two Chinese mobile networks, to the point of ignoring infected phones outside them. Based on files recovered from some devices, it's been running since September 2011. For users outside China, the malware isn't a problem, especially because it's not part of any app on the official Android Market. However, there's no reason it couldn't be bundled with another app or changed to focus on international users. On the official market, Google's Bouncer service may be able to catch this kind of threat. But as we've seen before, even vetted apps aren't necessarily safe.