[Warning] Identified malicious application disguised an android’s QQ game from China

1. Introduction

Recently, Android malicious applications are rapidly growing and smartphone security threats are getting bigger.
To generate malicious application, “Repackaging”, injecting malicious function in normal application, is the most widely using techniques.
Nowadays, “Double Packaging”, including new malicious APK file on repackaged file, has been widely found.
So we are repackaging QQ game, studying malicious application used the techniques double packaging, and having time for prevention from malicious application.

2. Spreading path and symptoms of infection

* Malicious application, a type of repackaged normal application

A malicious application, the type of adding and repackaging malicious behaviors of normal application, has the features to be spread via android market, black market and 3rd party market.

This malicious application needs rights of smartphone at the time on install such as following image.

* Permission explanations

- android:name="android.permission.ACCESS_NETWORK_STATE"
-> Authority on network like WiFi "ON" check
- android:name="android.permission.INTERNET"
-> Authority on connecting external web site
- android:name="android.permission.VIBRATE"
-> Authority on vibration setting

After the authorization request to complete the installation process, you can see the main screen of "QQ Game" as following image.

After the installation is complete, the malicious applications also have as same as a normal application's icon.

<QQ game icon>

When the installation is complete, the application prepares installing additional malicious APK file with using the code inside. Additional malicious APK file is included “QQ game”, installed already.
See the image below to figure out file name.

Two red boxes in the figure above, each file is APK, ELF (busybox in the form of a compressed file).
In case of APK file, it is malicious application containing additional malicious function and to help you understand, ELF file is a Linux file to help malicious behavior for rooting syntax.

Installed malicious application has a separate part of declaration resource internally such as following image.

In the image above, "rageagainstthecage" file is for rooting, and more description will be discussed in the next section. Refer to the above resources, this malicious application will change "anserverb" file’s name to "xxx.apk" with following code.

In addition, additional work will be performed to install the "xxx.apk" file. If you've seen here, you may guess what, "an additional course of action".

"An additional course of action" means work form rooting. You can rooting and install “xxx.apk” file with following code.

* Decompression, the routing-related tasks, and the code related install additional APK file

In the above figure, "anserverb" file to change file name "SMSApp.apk" and "xxx.apk" have same contents of resource in the code itself. So you can see that the same file.

Of course, as described in the above image, rooting-related task works only Android SDK version 2.2 or earlier versions.

You can see that "xxx.apk" has been already installed, but in this case, authorization request screen doesn’t print as we said about double packaged file earlier.

* Another malicious application contained within the additional malicious applications

Following image is permission require screen for additional installed malicious application.

* Permission explanations

 - android:name="android.permission.WRITE_SMS"
 -> Authority on writing SMS
 - android:name="android.permission.RECEIVE_BOOT_COMPLETED"
 -> Authority on automatic execution on booting
 - android:name="android.permission.VIBRATE"
 -> Authority on vibration setting
 - android:name="android.permission.READ_SMS"
 -> Authority on reading SMS
 - android:name="android.permission.RECEIVE_SMS"
 -> Authority on receiving SMS
 - android:name="android.permission.SEND_SMS"
 -> Authority on sending SMS
 - android:name="android.permission.READ_PHONE_STATE"
 -> Authority on getting information of phone
 - android:name="android.permission.DISABLE_KEYGUARD"
 -> Authority on releasing keyguard
 - android:name="android.permission.READ_CONTACTS"
 -> Authority on reading contacts
 - android:name="android.permission.WRITE_CONTACTS"
 -> Authority on writing contacts
 - android:name="android.permission.INTERNET"
 -> Authority on access internet
 - android:name="android.permission.ACCESS_NETWORK_STATE"
 -> Authority on access network
 - android:name="android.permission.CALL_PHONE"
 -> Authority on making a call
 - android:name="android.permission.WAKE_LOCK"
 -> Authority on device power setting
 - android:name="android.permission.RESTART_PACKAGES"
 -> Authority on quit and restart packages
 - android:name="android.permission.WRITE_APN_SETTINGS"
 -> Authority on APN setting for connecting.

In case of additional malicious application, it can collect and send SMS, steal information of contacts, phone information, and application information on executing. Also, it can interfere in running specific application through the following code after installation.

Even if this malicious application doesn’t have specific icon, we can distinguish from malicious application with viewing "Application management" section.

3. How to prevent

This malicious game application was designed to target users in China. That's why its overseas damage except China has not been reported. Because of the characteristic of smartphone applications, installing overseas’ application is relatively easy. But a possibility of emerging this kind of malicious applications remains as a threat. Also, in case of malicious application using repackaging, double packaging, it can install malicious application by stealth.

To use smartphone safely from security threats of these malicious applications, we recommend following tips "Smartphone security management tips" for general users.

Smartphone security management tips

1. Use anti-virus SW from believable security company and keep updating the latest engine and using real time detecting function
2. Download the proven application by multiple users at all times.
3. Do not save important information on phone.

INCA Internet (Security Response Center / Emergency Response Team) provides diagnosis/treatment function with nProtect Mobile for Android for mobile such as malicious file stated above and runs responding system against various security threats.

June 6, 2011 Inca Internet Security response team has detected other 8 new malicious file for androids and finished updating so far.


  1. You will definitely find some useful info in this article. Make sure you check it out s as soon as possible and bring some good news

  2. Thanks for sharing.I found a lot of interesting information here. A really good post, very thankful and hopeful that you will write many more posts like this one.

  3. Some really nice and useful information on this web site I couldn't currently have asked for a better blog. You happen to be always at hand to present excellent information, going straight away to the point for straightforward understanding of your readers. I discovered your blog site on google and check a few of your early posts and my seo tons. Continue to keep up the very good operate. I just additional up your RSS feed to my MSN News Reader. Seeking forward to reading more from you later on!

    - Veronica Segura
    Contact me @ Write my Essay

  4. If you are interested in then we can provide you thelist of mnc companies in mumbai and top 50 mnc companies in india.

    If you are interested in then we can provide you themnc companies in noida and list of manufacturing companies in noida.

  5. Top Chauufeur service in Melbourne
    Silver Executive Cab is becoming the first choice of the people. It is only because of the best quality chauffeur cars & limos Melbourne. Our own VHA Chauffeur Cars & Limos network Melbourne. Are you looking for the chauffeur car Melbourne or anywhere in Victoria SEC offers you the best vehicle at competitive prices.

  6. "Hi
    I was looking for some information on your site this morning when I came to your excellent page.
    What fantastic information you provide in this article.
    This one also a Good Article

    It might make a good fit for your page.
    Would love to get your feedback on it.
    Either way, Keep up the awesome work!

    Kirtika singh

  7. If you are interested in then we can provide you thewhat is crm and database marketing
    We also provide to help you in company database
    We also provide business data and crm software details.

  8. پارچ تصفیه آب هیتما با ظرفیت 2500 میلی لیترو مجهز به فیلتر تصفیه آب است. طراحی زیبا ، ظرافت بالا و کیفیت بسیار عالی این دستگاه باعث شده که این دستگاه را از نمونه‌های شبیه آن در بازار متمایز می نماید، همچنین شما میتوانید زمان شروع استفاده از دستگاه و تعداد خانوار را انتخاب کند و پس از انتخاب تاریخ اتمام فیلتر دستگاه را برروی آن مشاهده کند. برای خرید این محصول میتوانید به وب سایت هیتما مراجعه کنید.

  9. More than 2 billion people in over 180 countries use WhatsApp to stay in touch with friends and family, anytime and anywhere. WhatsApp is free and offers simple, secure, reliable messaging and calling, available on phones all over the world.

  10. I am glad to see this brilliant post. all the details are very helpful and good for us, keep up to good work.I found some useful information in your blog, it was awesome to read, thanks for sharing this great content to my vision, keep sharing.
    Linux Training Institutes in Pimpri Chinchwad