To generate malicious application, “Repackaging”, injecting malicious function in normal application, is the most widely using techniques.
Nowadays, “Double Packaging”, including new malicious APK file on repackaged file, has been widely found.
So we are repackaging QQ game, studying malicious application used the techniques double packaging, and having time for prevention from malicious application.
2. Spreading path and symptoms of infection
* Malicious application, a type of repackaged normal application
A malicious application, the type of adding and repackaging malicious behaviors of normal application, has the features to be spread via android market, black market and 3rd party market.
This malicious application needs rights of smartphone at the time on install such as following image.
After the authorization request to complete the installation process, you can see the main screen of "QQ Game" as following image.
After the installation is complete, the malicious applications also have as same as a normal application's icon.
<QQ game icon>
When the installation is complete, the application prepares installing additional malicious APK file with using the code inside. Additional malicious APK file is included “QQ game”, installed already.
See the image below to figure out file name.
Two red boxes in the figure above, each file is APK, ELF (busybox in the form of a compressed file).
In case of APK file, it is malicious application containing additional malicious function and to help you understand, ELF file is a Linux file to help malicious behavior for rooting syntax.
Installed malicious application has a separate part of declaration resource internally such as following image.
In the image above, "rageagainstthecage" file is for rooting, and more description will be discussed in the next section. Refer to the above resources, this malicious application will change "anserverb" file’s name to "xxx.apk" with following code.
In addition, additional work will be performed to install the "xxx.apk" file. If you've seen here, you may guess what, "an additional course of action".
"An additional course of action" means work form rooting. You can rooting and install “xxx.apk” file with following code.
* Decompression, the routing-related tasks, and the code related install additional APK file
In the above figure, "anserverb" file to change file name "SMSApp.apk" and "xxx.apk" have same contents of resource in the code itself. So you can see that the same file.
Of course, as described in the above image, rooting-related task works only Android SDK version 2.2 or earlier versions.
You can see that "xxx.apk" has been already installed, but in this case, authorization request screen doesn’t print as we said about double packaged file earlier.
* Another malicious application contained within the additional malicious applications
Following image is permission require screen for additional installed malicious application.
In case of additional malicious application, it can collect and send SMS, steal information of contacts, phone information, and application information on executing. Also, it can interfere in running specific application through the following code after installation.
Even if this malicious application doesn’t have specific icon, we can distinguish from malicious application with viewing "Application management" section.
3. How to prevent
This malicious game application was designed to target users in China. That's why its overseas damage except China has not been reported. Because of the characteristic of smartphone applications, installing overseas’ application is relatively easy. But a possibility of emerging this kind of malicious applications remains as a threat. Also, in case of malicious application using repackaging, double packaging, it can install malicious application by stealth.
To use smartphone safely from security threats of these malicious applications, we recommend following tips "Smartphone security management tips" for general users.
INCA Internet (Security Response Center / Emergency Response Team) provides diagnosis/treatment function with nProtect Mobile for Android for mobile such as malicious file stated above and runs responding system against various security threats.
June 6, 2011 Inca Internet Security response team has detected other 8 new malicious file for androids and finished updating so far.