The cloned versions of the app found on unofficial sites contain code that unlocked anti-Obama messages on July 4, the United States’ Independence Day. It is believed the attack is part of protests against the US government’s surveillance programmes, revealed this month.
According to Irfan Asrar, a McAfee researcher, the programme initially appeared to do everything that the official app did.
A timer set in the extra code changed the app’s wallpaper from Jay-Z and the album’s artwork to that of President Barack Obama wearing headphones. Above his image were the words “Yes we scan”, which are believed to refer to the NSA’s PRISM scanning system. It also plays on Obama’s campaign slogan “Yes we can”.
“The image and the service name NSAListener suggest a hacktivist agenda,” said Asrar in a blog, “but we haven't ruled out the possibility that additional malware may target financial transactions or other data.”
However, Asrar said the code added to the version copied and then sent the information to a control and command server every time the phone was restarted. After it made contact it tried to download extra code that included anti-government images and messages.
Asrar warned people to avoid downloading apps from unofficial sources and ensure security software is kept up to date.