[Warning] Identified another malicious application inducing SMS premium service charge

1. Introduction

 

These days, the damage range of malicious applications is getting wider from simply collecting information to acting specific malicious behaviors quietly.
In the midst of this atmosphere, inducing malicious app charging SMS premium service has been found, so that user who frequently downloads apps at black market needs to be careful.

  
2. Spreading path and symptoms of infection

This malicious application can spread via various black markets and 3rd party markets and can require various permissions as following.

* Permission explanation

- android:name="android.permission.READ_CONTACTS"
- android:name="android.permission.RESTART_PACKAGES"
- android:name="android.permission.INTERNET"
- android:name="android.permission.SEND_SMS"
- android:name="android.permission.RECEIVE_SMS"
- android:name="android.permission.WRITE_EXTERNAL_STORAGE"
- android:name="android.permission.ACCESS_NETWORK_STATE"
- android:name="android.permission.READ_PHONE_STATE"
- android:name="android.permission.READ_SMS"
- android:name="android.permission.WRITE_SMS"

Upon installed, this will create execution icon as following, clicking icon will show you following screen.


  
* Run Icon

* Run Screen

  
* Detailed analysis

This malicious application registers 1 Receiver to manage SMS, and can set high priority.

* Receiver register- com.talkweb.comm.SmsReceiver

Furthermore, this malicious application can subscribe premium service after being infected, and subscription procedure will be proceed by receiving SMS from certain premium service provider's number.

* Subscription procedures
- Sends service register SMS to service provider
- Replies SMS about detailed service description from service provider
- User needs to send reply SMS including this word "Y" for confirming.

After the subscription, this malicious application can finish subscription procedure after confirming sending SMS. Besides, this app will remove related SMS through following code before being recognized by user.



But there is a difference between this app and previous similar application on numbering additional service number in its code's condition states.

3. How to prevent

In case of this malicious application, since it was designed to target Chinese user, it hasn't been reported in South Korea, but it can be repackaged and give financial damage to general user.
To use smartphone safely from security threats of these malicious applications, we recommend following tips "Smartphone security management tips" for general users.

Smartphone security management tips

1. Use anti-virus SW from believable security company and keep updating the latest engine and using real time detecting function
2. Download the proven application by multiple users at all times.
3. Use mobile anti-virus SW to check downloaded application before using it.
4. Do not visit suspicious or unknown site via smartphone.
5. Try not to see MMS, text, e-mail from uncertain user.
6. Set strong password on smartphone always.
7. Turn the wireless interfaces like Bluetooth only be used.
8. Do not save important information on phone.
9. Do not try illegal customizing like rooting or jailbreak.

INCA Internet (Security Response Center / Emergency Response Team) provides diagnosis/treatment function with nProtect Mobile for Android for mobile such as malicious file stated above and runs responding system against various security threats.