The Trojan was first spotted in February 2013 and over a dozen new versions have been released since then.
The first variants were only designed to send SMSs to premium rate numbers in Russia. However, cybercriminals kept adding more and more countries to the list, until they reached 66.
While most of the infections have been observed in Russia and Canada, countries like the US, Germany, Lithuania, France, Finland, Norway, Ukraine, the UK, Malaysia, Hungary, Switzerland, Indonesia, Spain, Israel, Portugal, Ireland, China, the Czech Republic, the Netherlands, New Zealand, and Brazil are also impacted.
Cybercriminals distribute the Trojan by disguising it as an app that allegedly allows users to access adult videos.
The configuration file contains a list of phone numbers and prefixes. Based on the victim’s location, messages are sent from the infected devices to premium rate numbers. For each message, victims are charged around $2 (€1.5).
In addition to sending SMSs, the malware is also capable of intercepting incoming text messages.
Experts believe the threat has been developed by Russian-speaking cybercriminals.