[Warning] Identified malicious application disguised as a Chinese Video Browser

1. Introduction

It's a big trend to repackage for malicious Android's application these days.
The technique "Repackaging" is inserting malicious code on the process of decompile based on normal APK file.
If infected, it is hard to be found the status being infected.
Therefore, the scope of infected range can be wider and wider.

Among those applications, a peculiar malicious application has been identified which was masqueraded and repackaged as a Chinese Video streaming service application.

2. Spreading path and symptoms of infection

Several variants of this malicious application are still being found, it spreads via black market and 3rd party market with the unique feature of this kind of repackaged applications.

First of all, it can be run on Android SDK 1.6 or higher in a stable manner.
This following figure describes permission requirement page on installation.

* Permission explanations











After the installation, this execution icon on following figure will be generated.

* Detailed analysis

After the installation, this following code will lead download and install additional malicious application on executing

* URL for downloading additional malicious


* Additinal downloaded malicious application

Following figure is captured screen after downloaded additional application from the above.
It looks like a normal application and can stream music normally.

* Captured screen on execution

 * Created icon

This malicious application has a purpose to AD in certain condition. And it contains link to download this application and can be sent via e-mail or SMS.

Also, it can send 6 text messages to China Mobile quietly.

The receiving number of China Mobile is a service number to check remained balance, mobile data usage, and so on. Also it can apply “Free Text Message” service.
On applied several services, certain amount of money might be paid due to those services. And requested “Free Text Message” service can be used both real-user and another user.

We assume that it requested the service with this phrase (“1~~6”, “8”, “”, this);.
Also, requested result can be received as a text message on choosing each menu. Furthermore, to deceive user on this progress, this malicious application can remove replying text messages with the following code.

According to the red box, it deletes text messages in case of the first sending number started from “10” with the red boxed code, if(s.startsWith(“10”)) abortBroadcast(); after inherited BroadcastReceiver without notice.
As a result, general user can’t notice something happened in his smartphone, even applying several services.

Together with those attempts, it can try to leak SIM card number of the smartphone to the external certain web site such as following figures.

Sneaked information can be used to make cloned phone illegally. In addition, it can check network connecting status and perform with specific code.

3. How to prevent

Currently, in case of malicious application for Android malicious application, it is a big trend to be disguised as a normal application, and the technique “REPACKAGING” is the most prevalent.
To use smartphone safely from security threats of these malicious applications, we recommend following tips "Smartphone security management tips" for general users.

Smartphone security management tips

1. Use anti-virus SW from believable security company and keep updating the latest engine and using real time detecting function
2. Download the proven application by multiple users at all times.
3. Use mobile anti-virus SW to check downloaded application before using it.
4. Do not visit suspicious or unknown site via smartphone.
5. Try not to see MMS, text, e-mail from uncertain user.
6. Set strong password on smartphone always.
7. Turn the wireless interfaces like Bluetooth only be used.
8. Do not save important information on phone.
9. Do not try illegal customizing like rooting or jailbreak.

INCA Internet (Security Response Center / Emergency Response Team) provides diagnosis/treatment function with nProtect Mobile for Android for mobile such as malicious file stated above and runs responding system against various security threats.

Diagnosis name

- Trojan-SMS/Android.KuVideoSMS.A
- Trojan-SMS/Android.KuVideoSMS.B