12345

6/02/2011

[Warning] Identified Android malicious file for masqueraded as foreign financial security products.

1. Introduction

User needs special attention about being found “Mobile malicious file masqueraded as a financial security product for Android” for stealing SMS and so on.
The biggest feature of this application is that being masqueraded as a similar to foreign financial security solution.
Recently, a lot of android’s malicious file has been found in our nProtect Security Response Center/Respond Team.
So, we need more attention and continuous effort to fortify security for android.



* Trusteer, famous security solution company but used for being disguised

- http://www.trusteer.com/



※ Masqueraded content financial security product service for android

A. icon

It uses similar security Solution Company’s icon as following.


B. Product name

As shown in the image below, it uses certain security solutions brand names and product names.


In the above figure, not only it requires activation key on "bank website", but it contains including intelligent scam.



2. Spreading path and symptoms of infection

This malicious application is not the type of added repackaging of normal application. In case of this kind of sole malicious application, this can likely be spread through black market or 3rd party market rather than android market.

This application has following permission requirement features.


* Permission explanations

A. android.permission.RECEIVE_SMS
- Authority on receiving SMS
B. android.permission.INTERNET
- Authority on access internet
C. android.permission.READ_PHONE_STATE
- Authority on obtaining phone information

On the installation process, you can see the permission requirement UI as we described above.

 

After clicking "install" button.


Censored area is "IMEI value of the infected phone".

* Unique smartphone information

- IMEI(International Mobile Equipment Identity) : The International Mobile Equipment Identity or IMEI is a number, usually unique, to identify GSM, WCDMA, and iDEN mobile phones, as well as some satellite phones.
- IMSI(International Mobile Subscriber Identity) : An International Mobile Subscriber Identity or IMSI is a unique identification associated with all GSM and UMTS network mobile phone users. It is stored as a 64 bit field in the SIM inside the phone and is sent by the phone to the network

This following code can print IMEI value on executing screen.



In addition, this malicious application performs to steal SMS and IMEI information with this code as following.



As we described above, seized SMS, IMEI can be tried to send specific site with following code.



3. How to prevent

For these malicious applications, disguised as a famous international financial security solutions and products can damage users in financially.



However, the current gathering seized information web has been blocked, but plenty of possibilities to have similarity to the malicious application we mentioned earlier can emerge. Therefore, we recommend keep "Smartphone security management tips" from avoidance of those behaviors.

* Smartphone security management tips

1. Use anti-virus SW from believable security company and keep updating the latest engine and using real time detecting function
2. Download the proven application by multiple users at all times.

INCA Internet (Security Response Center / Emergency Response Team) provides diagnosis/treatment function with nProtect Mobile for Android for mobile such as malicious file stated above and runs responding system against various security threats.


1 comment:

  1. Excellent Blog every one can get lots of information for any topics from this blog nice work keep it up...

    ReplyDelete