The massive Cutwail botnet has been pushing out spam containing malicious links in an attempt to spread Android malware, marking a significant milestone in the evolution of the mobile threat, security researchers have warned.

Dell SecureWorks discovered the new ‘Stels Trojan’, which can steal users’ contacts, text messages, install additional malware and make calls. Its delivery method is particularly rare for an Android threat – traditionally attackers have used official and unofficial app stores to push malware, disguised as legitimate apps.

BotnetCutwail spam often contains links to Trojans aimed at Windows PCs. It sends messages designed to trick users into clicking on links to sites that launch the prevalent Blackhole exploit kit. This tool looks for vulnerabilities on the user’s system to exploit, before uploading malware onto the victim’s machine.

In this particular campaign, using a PHP script, the attackers will detect whether the user is running Android. If so, the infected site displays a fake Adobe Flash Player update, which, if clicked on, will launch the Stells executable, prompting the user to download the malware.

The user has to enable the “Unknown Sources (Allow installation of non-Market applications)” option in their phone’s security settings before the malware can infect the device.

Once on the user’s phone, it will load up a Flash icon in the apps menu, with the name APPNAME. If launched, the Stels trojan displays a fake error message reading: “Your Android version does not support this update! Setup is canceled.” It then deletes the Flash icon from the apps menu.

All the while, the Android malware is siphoning off user data, monitoring SMS messages to potentially pick up special bank authentication codes known as mTANs, and allowing the attackers to play around on the phone by uninstalling apps and making calls. All this is done at the behest of those running the Stels command and control infrastructure.