The technique "Repackaging" is inserting malicious code on the process of decompile based on normal APK file.
If infected, it is hard to be found the status being infected.
Therefore, the scope of infected range can be wider and wider.
Among those applications, a peculiar malicious application has been identified which was masqueraded and repackaged as a Chinese Video streaming service application.
2. Spreading path and symptoms of infection
Several variants of this malicious application are still being found, it spreads via black market and 3rd party market with the unique feature of this kind of repackaged applications.
First of all, it can be run on Android SDK 1.6 or higher in a stable manner.
This following figure describes permission requirement page on installation.
After the installation, this execution icon on following figure will be generated.
* Detailed analysis
After the installation, this following code will lead download and install additional malicious application on executing
* Additinal downloaded malicious application
Following figure is captured screen after downloaded additional application from the above.
It looks like a normal application and can stream music normally.
* Captured screen on execution
* Created icon
This malicious application has a purpose to AD in certain condition. And it contains link to download this application and can be sent via e-mail or SMS.
Also, it can send 6 text messages to China Mobile quietly.
The receiving number of China Mobile is a service number to check remained balance, mobile data usage, and so on. Also it can apply “Free Text Message” service.
On applied several services, certain amount of money might be paid due to those services. And requested “Free Text Message” service can be used both real-user and another user.
We assume that it requested the service with this phrase (“1~~6”, “8”, “”, this);.
Also, requested result can be received as a text message on choosing each menu. Furthermore, to deceive user on this progress, this malicious application can remove replying text messages with the following code.
According to the red box, it deletes text messages in case of the first sending number started from “10” with the red boxed code, if(s.startsWith(“10”)) abortBroadcast(); after inherited BroadcastReceiver without notice.
As a result, general user can’t notice something happened in his smartphone, even applying several services.
Together with those attempts, it can try to leak SIM card number of the smartphone to the external certain web site such as following figures.
Sneaked information can be used to make cloned phone illegally. In addition, it can check network connecting status and perform with specific code.
3. How to prevent
Currently, in case of malicious application for Android malicious application, it is a big trend to be disguised as a normal application, and the technique “REPACKAGING” is the most prevalent.
To use smartphone safely from security threats of these malicious applications, we recommend following tips "Smartphone security management tips" for general users.
INCA Internet (Security Response Center / Emergency Response Team) provides diagnosis/treatment function with nProtect Mobile for Android for mobile such as malicious file stated above and runs responding system against various security threats.