12345

6/01/2011

[Warning] Detected double packaged malicious application for Android

1. Introduction

Recently, general user needs special attention about double packaged prevalent malicious file for Android mostly in China.
This malicious application is uncommon to have malicious APK file in normal file.
If infected, it can steal user information.
So, users using Android device have to be careful from those malicious file.


Double packaging (APK : Android Package File)

- Contains malicious APK file in normal APK file


2. Spreading path and symptoms of infection

In case of this kind of repackaged malicious application, it can be spread via black market and 3rd party market.

* Downloads and installs double packaging APK file

This downloadable APK file, at a glance, seems to be a normal type of application, but based on our analysis, it contains malicious functions and you can find it with following figure.


<About Permission>


<It requires permission agreement on install>

After the installation is complete, you can see following figure.


Such as most mobile malicious applications we mentioned before, this kinds of applications are  mostly using lascivious photos.
And it seems to be derived from China with the Chinese language.

It's hard to recognize that something is going on in background for general user, because it was working "Checking certain condition on being infected", "Performing package install related code" secretly.

* Downloads and installs additional APK file derived double packaged APK file

After the installation is complete, installed APK file tries to install additional APK file when following conditions are satisfied.

* Conditions for installing another APK file

- Rooting tried (same or earlier version of Android 2.2)
- Rooting status

This following code describes additional condition we mentioned above.



Infected user can not see the permission requirement page on installing additional APK file in case of meeting those conditions.

This following code describes permission of additional APK file.



<About permission>


<About permission on installation>

Secondary APK file doesn’t show execution screen. However, it can perform “Send/Receive SMS, MMS” and make user pay for those without noticing users. Moreover, cell phone information including GPS and recent calls can be leaked. And it can be started on booting automatically.

3. How to prevent

In this case of malicious mobile application, trying to install without additional download is uncommon techniques.
To use smartphone safely from security threats of these malicious applications, we recommend following tips "Smartphone security management tips" for general users.

Smartphone security management tips

1. Use anti-virus SW from believable security company and keep updating the latest engine and using real time detecting function
2. Download the proven application by multiple users at all times.
3. Use mobile anti-virus SW to check downloaded application before using it.
4. Do not visit suspicious or unknown site via smartphone.
5. Try not to see MMS, text, e-mail from uncertain user.
6. Set strong password on smartphone always.
7. Turn the wireless interfaces like Bluetooth only be used.
8. Do not save important information on phone.
9. Do not try illegal customizing like rooting or jailbreak.

INCA Internet (Security Response Center / Emergency Response Team) provides diagnosis/treatment function with nProtect Mobile for Android for mobile such as malicious file stated above and runs responding system against various security threats.

* Diagnosis name

- Trojan-Spy/Android.HiddenSms.A
- Trojan-Spy/Android.HiddenSms.B

No comments:

Post a Comment