[Material] Android’s malicious file disguised as a Hello Kitty desktop application.

1. Introduction

Founded March, 2011, this malicious file has been included malicious function and repackaged of previous wallpaper application.
This malicious application is a variant of known as "ADRD"that referred to in the past, and remaines user’s smartphone inside without icon just like most of the wallpaper application.
In this case, user can’t figure out what happens in his smartphone by malicious application.


2. Spreading path and symptoms of infection

* Comparison against original application

In case of this kind of repackaged malicious application, it spreads via black market and 3rd party market, it shows permission requirement screen on installation.

This following figure describes declaration on permission requirement.

* Permission explanation

- android.permission.WRITE_APN_SETTINGS
-> Permission for APN settings
- android.permission.RECEIVE_BOOT_COMPLETED
-> Permission for background task after reboot
- android.permission.ACCESS_NETWORK_STATE
-> Permission for access network
- android.permission.READ_PHONE_STATE
-> Permission for obtain smartphone information
- android.permission.WRITE_EXTERNAL_STORAGE
-> Permission for writing data to SD card
- android.permission.INTERNET
-> Permission for using internet
- android.permission.MODIFY_PHONE_STATE
-> Permission for modifying smartphone information

This malicious application needs Android 2.1 or higher versions. It doesn’t have execution icon after installation. And in case of original application, it doesn’t ask for permission like the following image.

However, if you move the "Applications" menu, you can check icon for wallpaper application. Both original and tampered applications are using same icon.



Following different file trees shows how different between original and tampered applications.

* Detailed analysis of symptoms

After downloaded and installation, this malicious application tries to steal IMEI, IMSI information with following codes.

Also it those collected information has been confirmed to send to certain external site by AlarmManager periodically.

Currently additional symptoms such as accessing C&C server work in progress, so we will renew the information after being analyzed.

This malicious application has difference in trying to download additional file compared with previous malicious application known as ADRD. That is, trying download after referring external access site URL and specific variable through DES algorithm.

This following figure describes encrypting code used DES algorithm.

In addition, this malicious application contains APN setting through CMWAP, UNIWAP and check related code, it can be supposed to be made for targeting Chinese user.

Following image shows CMWAP, UNIWAP setting and part of checking and concerning code.

These malicious functions are activated in system background and set started automatically on reboot.

Following images are same on both this malicious application and original application.

3. How to prevent

Recently in this case of spreading malicious applications, they are trying to infect smartphone with various techniques such as "Repackaging", "Double packaging", and "Try rooting". In addition, there are a lot of malicious applications that doesn’t leave icon, mentioned above. In this case, for an ordinary user, it’s very difficult to diagnose that what’s going on his smartphone.

To use smartphone safely from security threats of these malicious applications, we recommend following tips "Smartphone security management tips" for general users.
Smartphone security management tips

1. Use anti-virus SW from believable security company and keep updating the latest engine and using real time detecting function
2. Download the proven application by multiple users at all times.
3. Use mobile anti-virus SW to check downloaded application before using it.
4. Do not visit suspicious or unknown site via smartphone.
5. Try not to see MMS, text, e-mail from uncertain user.
6. Set strong password on smartphone always.
7. Turn the wireless interfaces like Bluetooth only be used.
8. Do not save important information on phone.
9. Do not try illegal customizing like rooting or jailbreak.

INCA Internet (Security Response Center / Emergency Response Team) provides diagnosis/treatment function with nProtect Mobile for Android for mobile such as malicious file stated above and runs responding system against various security threats.

[Status of nProtect Mobile for Android diagnosis]