Mutating Android trojan changes form whenever it's downloaded

In what could be an interesting case for Dr Who, Symantec has warned of a mutating Android trojan.

The company has found a new premium-rate SMS Android trojan that modifies its code every time it gets downloaded. This means that it can bypass antivirus detection.

It uses a technique known as server-side polymorphism and it has existed peacefully in the world of desktop malware for many years. Now, it seems that something in the mobile world has woken it up and reversing the polarity of the neutron flow does not seem to work.

According to Symantec, a special mechanism runs on the distribution server which modifies certain parts of the trojan to ensure that every malicious app that gets downloaded is unique.

This is not the same as local polymorphism where the malware modifies its own code, nor is it the same as a polymorphic ring tone.

So far, Symantec has seen several variants of the trojan which it calls Android.Opfake. All of them have come from Russian websites and it is believed that they had slumbered in the Siberian ice only to be awoken when a meteorite plummeted to earth .

The malware contains instructions to automatically send SMS messages to premium-rate numbers from a large number of European and former Soviet Union countries.

Writing in his bog, Vikram Thakur, the principal security response manager at Symantec, said that more complicated polymorphism requires more intelligent countermeasures and, we guess, when you deal with them it is really important not to blink.