12345

7/07/2011

[Material] Repackaged FastRacing game application leaks your smartphone information

1. Introduction

Recently, Android malicious applications are rapidly growing and smartphone security threats are getting bigger.
To generate malicious application, "Repackaging", injecting malicious function in normal application, is the most widely used techniques.
Furthermore, this malicious application can steal user information.
So, users using Android device need special attention about prevalent malicious file.

2. Spreading path and symptoms of infection

This malicious application, an Android game application named “FastRacing”, is a repackaged type including malicious code, and needs SDK version 1.6 or higher.

After the installation is complete, it can behave following malicious behaviors.
 
※ Possible malicious behaviors

- Collects smartphone information
- Collects send / received call list
- Collects SMS information
- Sends collected log file as a .TXT form to external URL.
- Sends SMS
- Tries to make a call
- Installs and removes application
- Behaves as a bot
- Access GPS information

In case of this kind of repackaged malicious application, it spreads via black market and 3rd party market, it shows permission requirement screen on installation.


 
* Permission explanation in Androidmanifest.xml

- android:name="android.permission.INTERNET"
-> Permission for using internet
- android:name="android.permission.VIBRATE"
-> Permission for vibration
- android:name="android.permission.ACCESS_NETWORK_STATE"
-> Permission for access network
- android:name="android.permission.READ_PHONE_STATE"
-> Permission for reading phone’s state
- android:name="com.android.vending.BILLING"
-> Permission for billing
- android:name="android.permission.WRITE_EXTERNAL_STORAGE"
-> Permission for writing to external storage
- android:name="android.permission.ACCESS_COARSE_LOCATION"
-> Permission for access location, Cell-ID and WIFI
- android:name="android.permission.ACCESS_FINE_LOCATION"
-> Permission for access GPS
- android:name="android.permission.RECEIVE_SMS"
-> Permission for receive SMS
- android:name="android.permission.SEND_SMS"
-> Permission for SMS sending-related rights
- android:name="android.permission.READ_SMS"
-> Permission for SMS reading-related rights
- android:name="android.permission.CALL_PHONE"
-> Call-related rights
- android:name="android.permission.PROCESS_OUTGOING_CALLS"
-> Permission for outgoing call
- android:name="android.permission.DELETE_PACKAGES"
-> Permission for package deletion
- android:name="android.permission.INSTALL_PACKAGES"
-> Permission for package installation
- android:name="android.permission.RECEIVE_BOOT_COMPLETED"
-> Permission for background task after reboot.

When the installation is completed, you can play the game and hard to find the status being infected actually.




* Analysis of malicious behavior in background task

After the installation, this malicious application will perform following various malicious behaviors.

* Collects information: IMEI, IMSI

This following figure describes collecting IMEI, IMSI information on certain condition.
 

* Collects information: outgoing, incoming call history

This following figure describes collecting outgoing, incoming call history information on certain condition.
 

As the figure above, with the underlined permission, “android,intent.extra.PHONE_NUMBER”, which will shift whole collected numbers to "zjphonecall.txt". In case of received call history, however, can be saved depending on the condition of Bean Class.

* Collects information: concerning

This following figure describes collecting SMS information on certain condition.
 

Real sender number, displayed number, and contents are will be saved to "zjsms.txt".

* Sends collected log file to external URL.

This following figure describes sending collected SMS, call history to external site.
 

In the upper left figure, the path in red box means the place that collected files are existed. URL path, to be uploaded, is in blue box. Each path is generated with a combination of each reference.

* Sends SMS

This following figure describes trying to send collected SMS information.
 

* Tries to make a call clandestinely
 

This following figure describes trying to make a call.
 

Making a call function is implemented with red box area after referring blue box area, trying to make a call secretly in above figure.

* Installs and removes application
 

This following figure describes about installing and removing applications.
 

While installing and removing, the biggest feature is that it doesn’t contain rooting function against previous malicious applications, also in the part create logging internally.

* Performs as a bot
 

Bot: Internet bots, also known as web robots, WWW robots or simply bots, are software applications that run automated tasks over the Internet. Typically, bots perform tasks that are both simple and structurally repetitive, at a much higher rate than would be possible for a human alone.

In case of this application, instance Bean, registered as receiver, inherited BroadcastReceiver and performs as a bot. At this moment, it will work four malicious behaviors, "Sends collected log file as a .TXT form to external URL, Sends SMS, Tries to make a call and Installs and removes application", we mentioned above.

Furthermore, these malicious functions will be activated after inherited Service Class to work confidentially.

* Accesses GPS information

This following figure describes about access GPS information.
 

Permission and class, underlined above, help application access GPS information, and it can work as a bot function to make great damage.

3. How to prevent.

In case of spreading malicious application recently, they are trying to infect smartphone with various techniques like "Repackaging". As described above, there are a lot of threats which can be emerged. In this case, for ordinary users, it’s very difficult to diagnose that what’s going on his smartphone.

To use smartphone safely from security threats of these malicious applications, we recommend following tips "Smartphone security management tips" for general users.
  
Smartphone security management tips

1. Use anti-virus SW from believable security company and keep updating the latest engine and using real time detecting function
2. Download the proven application by multiple users at all times.
3. Use mobile anti-virus SW to check downloaded application before using it.
4. Do not visit suspicious or unknown site via smartphone.
5. Try not to see MMS, text, e-mail from uncertain user.
6. Set strong password on smartphone always.
7. Turn the wireless interfaces like Bluetooth only be used.
8. Do not save important information on phone.
9. Do not try illegal customizing like rooting or jailbreak.

INCA Internet (Security Response Center / Emergency Response Team) provides diagnosis/treatment function with nProtect Mobile for Android for mobile such as malicious file stated above and runs responding system against various security threats.

4 comments:

  1. Oh really, Is it true that FastRacing game application leaks your smartphone information. I am very happy to know this discussion as well. I am very happy to know the discussion as well. Thanks!!

    ReplyDelete
  2. This is one of more sites that helped me find out what i exactly wanted. Thanks in return :D

    ReplyDelete
  3. This is really nice details about games.

    ReplyDelete