12345

6/07/2011

[Warning] Identified malicious application disguised an android’s QQ game from China

1. Introduction

Recently, Android malicious applications are rapidly growing and smartphone security threats are getting bigger.
To generate malicious application, “Repackaging”, injecting malicious function in normal application, is the most widely using techniques.
Nowadays, “Double Packaging”, including new malicious APK file on repackaged file, has been widely found.
So we are repackaging QQ game, studying malicious application used the techniques double packaging, and having time for prevention from malicious application.

2. Spreading path and symptoms of infection

* Malicious application, a type of repackaged normal application

A malicious application, the type of adding and repackaging malicious behaviors of normal application, has the features to be spread via android market, black market and 3rd party market.

 
This malicious application needs rights of smartphone at the time on install such as following image.



* Permission explanations

- android:name="android.permission.ACCESS_NETWORK_STATE"
-> Authority on network like WiFi "ON" check
- android:name="android.permission.INTERNET"
-> Authority on connecting external web site
- android:name="android.permission.VIBRATE"
-> Authority on vibration setting



After the authorization request to complete the installation process, you can see the main screen of "QQ Game" as following image.


After the installation is complete, the malicious applications also have as same as a normal application's icon.





<QQ game icon>



When the installation is complete, the application prepares installing additional malicious APK file with using the code inside. Additional malicious APK file is included “QQ game”, installed already.
See the image below to figure out file name.



Two red boxes in the figure above, each file is APK, ELF (busybox in the form of a compressed file).
In case of APK file, it is malicious application containing additional malicious function and to help you understand, ELF file is a Linux file to help malicious behavior for rooting syntax.

Installed malicious application has a separate part of declaration resource internally such as following image.


In the image above, "rageagainstthecage" file is for rooting, and more description will be discussed in the next section. Refer to the above resources, this malicious application will change "anserverb" file’s name to "xxx.apk" with following code.



In addition, additional work will be performed to install the "xxx.apk" file. If you've seen here, you may guess what, "an additional course of action".

"An additional course of action" means work form rooting. You can rooting and install “xxx.apk” file with following code.



* Decompression, the routing-related tasks, and the code related install additional APK file



In the above figure, "anserverb" file to change file name "SMSApp.apk" and "xxx.apk" have same contents of resource in the code itself. So you can see that the same file.





Of course, as described in the above image, rooting-related task works only Android SDK version 2.2 or earlier versions.

You can see that "xxx.apk" has been already installed, but in this case, authorization request screen doesn’t print as we said about double packaged file earlier.

* Another malicious application contained within the additional malicious applications



Following image is permission require screen for additional installed malicious application.



* Permission explanations

 - android:name="android.permission.WRITE_SMS"
 -> Authority on writing SMS
 - android:name="android.permission.RECEIVE_BOOT_COMPLETED"
 -> Authority on automatic execution on booting
 - android:name="android.permission.VIBRATE"
 -> Authority on vibration setting
 - android:name="android.permission.READ_SMS"
 -> Authority on reading SMS
 - android:name="android.permission.RECEIVE_SMS"
 -> Authority on receiving SMS
 - android:name="android.permission.SEND_SMS"
 -> Authority on sending SMS
 - android:name="android.permission.READ_PHONE_STATE"
 -> Authority on getting information of phone
 - android:name="android.permission.DISABLE_KEYGUARD"
 -> Authority on releasing keyguard
 - android:name="android.permission.READ_CONTACTS"
 -> Authority on reading contacts
 - android:name="android.permission.WRITE_CONTACTS"
 -> Authority on writing contacts
 - android:name="android.permission.INTERNET"
 -> Authority on access internet
 - android:name="android.permission.ACCESS_NETWORK_STATE"
 -> Authority on access network
 - android:name="android.permission.CALL_PHONE"
 -> Authority on making a call
 - android:name="android.permission.WAKE_LOCK"
 -> Authority on device power setting
 - android:name="android.permission.RESTART_PACKAGES"
 -> Authority on quit and restart packages
 - android:name="android.permission.WRITE_APN_SETTINGS"
 -> Authority on APN setting for connecting.



In case of additional malicious application, it can collect and send SMS, steal information of contacts, phone information, and application information on executing. Also, it can interfere in running specific application through the following code after installation.



Even if this malicious application doesn’t have specific icon, we can distinguish from malicious application with viewing "Application management" section.



3. How to prevent

This malicious game application was designed to target users in China. That's why its overseas damage except China has not been reported. Because of the characteristic of smartphone applications, installing overseas’ application is relatively easy. But a possibility of emerging this kind of malicious applications remains as a threat. Also, in case of malicious application using repackaging, double packaging, it can install malicious application by stealth.

To use smartphone safely from security threats of these malicious applications, we recommend following tips "Smartphone security management tips" for general users.

Smartphone security management tips

1. Use anti-virus SW from believable security company and keep updating the latest engine and using real time detecting function
2. Download the proven application by multiple users at all times.
3. Do not save important information on phone.


INCA Internet (Security Response Center / Emergency Response Team) provides diagnosis/treatment function with nProtect Mobile for Android for mobile such as malicious file stated above and runs responding system against various security threats.


June 6, 2011 Inca Internet Security response team has detected other 8 new malicious file for androids and finished updating so far.

No comments:

Post a Comment