12345

7/15/2011

[Warning] Emerged malicious application disguised as a Kaspersky's mobile Anti-Virus SW

1. Introduction

Masqueraded as a module for Trusteer, famous provider of security solutions internationally, was revealed as a fake application.
Likewise disguising techniques are prevalent in these days.
This turn is for the KAV(Kaspersky Anti-Virus).
This tampered application is also made for behaving malicious functions.



2. Spreading path and symptoms of infection

In case of this kind of malicious application, it spreads via black market and 3rd party market.
Furthermore, disguised form as a normal application make user difficult to identify whether this application is normal or abnormal.

Following explanations will let you know its malicious behaviors.

* Symptoms on installation and execution

This following figure describes permission requirement page on installation.


 
* Permission explanations

android:name="android.permission.BROADCAST_STICKY"

android:name="android.permission.SYSTEM_ALERT_WINDOW"

android:name="android.permission.INTERNAL_SYSTEM_WINDOW"

android:name="android.permission.ADD_SYSTEM_SERVICE"

android:name="android.permission.VIBRATE"

android:name="android.permission.REORDER_TASKS"

android:name="android.permission.CHANGE_CONFIGURATION"

android:name="android.permission.WAKE_LOCK"

android:name="android.permission.STATUS_BAR"

android:name="android.permission.ACCESS_WIFI_STATE"

android:name="android.permission.READ_PHONE_STATE"

android:name="android.permission.MODIFY_PHONE_STATE"

android:name="android.permission.DEVICE_POWER"

android:name="android.permission.DISABLE_KEYGUARD"

android:name="android.permission.INTERNET"

android:name="android.permission.WRITE_APN_SETTINGS"

android:name="android.permission.BROADCAST_WAP_PUSH"

android:name="android.permission.CHANGE_WIFI_STATE"

android:name="android.permission.ACCESS_NETWORK_STATE"

android:name="android.permission.CHANGE_NETWORK_STATE"

android:name="android.permission.RECEIVE_BOOT_COMPLETED"

android:name="android.permission.READ_SMS"

android:name="android.permission.RECEIVE_SMS"

android:name="android.permission.BROADCAST_SMS"

android:name="android.permission.WRITE_SETTINGS"

android:name="android.permission.ACCESS_WIFI_STATE"

android:name="android.permission.UPDATE_DEVICE_STATS"

android:name="android.permission.CHANGE_WIFI_STATE"

android:name="android.permission.WAKE_LOCK"

android:name="android.permission.READ_PHONE_STATE"

android:name="android.permission.WRITE_SECURE"

android:name="android.permission.WRITE_SECURE_SETTINGS"

android:name="android.permission.WRITE_EXTERNAL_STORAGE"

android:name="android.permission.PROCESS_OUTGOING_CALLS"


* This following figure describes permission requirement page on installation.
Permissions, listed above, can't be used in this malicious application. Let's find out the reason in detailed analysis on following:.

And it adopted similar icon in comparison with Kaspersky Mobile’s .


After the installation, activating code will be shown on executing malicious application.
Clicking “OK” will terminate this application without additional behavior.




* Detailed analysis

When the first run this application, it will acquire IMEI information due to following code and print some of information as an activating code.



Not only IMEI information for this code, but it collects IMSI and contacts information and will send certain C&C (Command and Control) server.



Since the C&C server destination is set local address, collected information can’t be spread outbound. However, there is a possibility to emerge additional application, totally compatible with this program.
Including malicious behaviors above, it can collect SMS information and calling status.





3. How to prevent

Since there is a flaw about calling malicious method in this application, it can’t perform malicious functions perfectly.
But, there are still potential possibilities to be combined and co-work another malicious application
To use smartphone safely from security threats of these malicious applications, we recommend following tips "Smartphone security management tips" for general users.

Smartphone security management tips

1. Use anti-virus SW from believable security company and keep updating the latest engine and using real time detecting function
2. Download the proven application by multiple users at all times.
3. Use mobile anti-virus SW to check downloaded application before using it.
4. Do not visit suspicious or unknown site via smartphone.
5. Try not to see MMS, text, e-mail from uncertain user.
6. Set strong password on smartphone always.
7. Turn the wireless interfaces like Bluetooth only be used.
8. Do not save important information on phone.
9. Do not try illegal customizing like rooting or jailbreak.

INCA Internet (Security Response Center / Emergency Response Team) provides diagnosis/treatment function with nProtect Mobile for Android for mobile such as malicious file stated above and runs responding system against various security threats.
  
Diagnosis name

- Trojan-Spy/Android.FakeKav.A

1 comment: