12345

6/17/2011

[Warning] Detected malicious file on Android disguised as a Flash Player file



1. Introduction

Malicious application masqueraded as a Flash Player-related application for android has been found.
So users are urged to take precautions.
This app was masqueraded as a Flash Player and its similar icon, and tries various malicious behavior on background without screen while.
On infected, information of smartphone, SMS may be leaked.
Therefore, user needs caution to download and install application.
 


2. Spreading path and symptoms of infection

This malicious applicationmay be spread through black market and 3rd party market; sometimes it can be downloaded installed such as access malicious URL or attached file on e-mail.

* Features can be checked on install malicious application

This malicious application shows permission requirement screen on installation, like as following image.


This following image is a part of permission requirement declaration.
Check "Permission explanation" for detail information.



* Permission explanation

- android:name="android.permission.INTERNET"-> Permission for using internet
- android:name="android.permission.SEND_SMS"
-> Permission for sending SMS
- android:name="android.permission.RECEIVE_SMS"-> Permission for receiving SMS
- android:name="android.permission.WRITE_SMS"
-> Permission for writing SMS
- android:name="android.permission.READ_SMS"-> Permission for reading SMS
- android:name="android.permission.READ_PHONE_STATE"
-> Permission for getting cellular phone information
- android:name="android.permission.WRITE_EXTERNAL_STORAGE"-> Permission for saving information to SD card
- android:name="android.permission.MODIFY_AUDIO_SETTINGS"
-> Permission for audio settings

There are some other malicious applications which have same symptom but didn’t masquerade as a Flash Player, such as a following image.


Also, these malicious applications are shown as a masqueraded icon below. And they don’t have execution screen.




After being installed, the malicious application is running as a service and will behave various malicious behaviors after certain period of time.

* Spreading malicious application lists- FlashCom
- FlashP29
- Flashpom
- MMS29

* Detailed analysis of symptoms
 
After being installed, the malicious application is running as a service and will behave various malicious behaviors after certain period of time.

This following figure describes stealing and utilizing information of smartphone such as IMEI.



Collected IMEI information may be used generating cloned phone, those applications’ most common function. This malicious application can also acquire information such as installed application list with following codes.


This code above describes obtaining application list. It collects all installed application list information and sends to SD card, and sending the information external site after certain period of time.

In addition, the malicious application was analyzed trying to leak SMS and caller number to external site.


This following figure is captured screen for external leakage packet among installed application lists.


* Captured screen of external leakage packet about installed application lists


- All the application list information of infected smartphone can be leaked externally.

* Captured screen of cellular phone information like IMEI, android platform version
 

- Red box contains leaking phone’s information, blue box contains IMEI information.


In addition, the malicious application is checking its product name and version and tries to update if it isn’t latest version.


3. How to prevent

Recently, malicious application is spreading as a various variant type such as packaging techniques, masquerading as a normal program, and so on. Compared to previous years, malicious applications are significantly increased. Like most malicious application, it’s very difficult to find being infected or symptom for a normal user; therefore we recommend following tips "Smartphone security management tips" for general users.

Smartphone security management tips

1. Use anti-virus SW from believable security company and keep updating the latest engine and using real time detecting function
2. Download the proven application by multiple users at all times.
3. Use mobile anti-virus SW to check downloaded application before using it.
4. Do not visit suspicious or unknown site via smartphone.
5. Try not to see MMS, text, e-mail from uncertain user.
6. Set strong password on smartphone always.
7. Turn the wireless interfaces like Bluetooth only be used.
8. Do not save important information on phone.
9. Do not try illegal customizing like rooting or jailbreak.

INCA Internet (Security Response Center / Emergency Response Team) provides diagnosis/treatment function with nProtect Mobile for Android for mobile such as malicious file stated above and runs responding system against various security threats.

* Malicious application diagnosis name added nProtect Mobile for Android product family

- Trojan-Spy/Android.CrWind.A
- Trojan-Spy/Android.CrWind.B
- Trojan-Spy/Android.CrWind.C
- Trojan-Spy/Android.CrWind.D

1 comment:

  1. Blogs are so interactive where we get lots of informative on any topics nice job keep it up !!

    phone recording equipment

    ReplyDelete