As USA Today reporter Byron Acohido explains in this video, users should notice a few red flags during the installation process. First, the download does not come from the Android Market Place. Secondly, the instructions for installation require the user to give the application permissions for all kinds of things that a real game would have no need to do (such as sending SMS messages to your contact list). The instructions claim that such manual permission-setting is required because the game is a “beta” version.
Once installed, the malware uses your phone (and your data and texting plans) to send spam texts to your contacts. If you don’t have an unlimited texting plan, you might be in for an unpleasant surprise when your next phone bill arrives.
It’s important to note, however, that this malware doesn’t exploit any technical flaws in the mobile Android operating system. Like many successful malware attacks, it relies on social engineering to get users to behave in a certain manner (in this case, getting victims to grant access to the phone’s texting abilities by playing on people’s desire to get free games).
Social engineering represents a formidable threat to IT security, since no amount of technical fixes or “patches” can prevent humans from, say, divulging a password over the phone to someone claiming to be from their company’s technical support department.
The only way to protect yourself and your company from attacks that rely on social engineering are to have a comprehensive “Acceptable Use Policy” in place, educate your employees about it, and enforce it rigorously.