In the midst of this situation, we found malicious Android application, which supports various voice using functions, but to steal personal information.Collected information can be used on cloned phone, DB transaction, and so on.
Therefore, general user needs to be careful about being infected malicious file from those malicious file.
2. Spreading path and symptoms of infection
In case of this malicious application, it spreads via various black markets and 3rd party markets and can require various permissions as following.
After the installation, this malicious application will create execution icon as following.
To execute, you can see this following figure, it makes a big noise.
In addition, if you click upper direction arrow, your page will be changed at AD page for downloading additional applications.
* Detailed analysis
Upon installation, it will add 2 receivers (StartAtBootServiceReceiver, MyReferrerReceiver) and can cause these following symptoms.
First of all, this malicious application can collect numbers in contacts information and IMEI with this following code on execution.
Besides, it can collect Android account information, country code, and provider information.
Collected information can be sent certain URL.
Collecting and sending information, we mentioned above, can be performed through AlarmManager.
3. How to prevent
In case of this malicious application, all malicious functions run in the background as a service and are not visible to the user. And collected information can be used as a spam or cloned phone.
To use smartphone safely from security threats of these malicious applications, we recommend following tips "Smartphone security management tips" for general users.
INCA Internet (Security Response Center / Emergency Response Team) provides diagnosis/treatment function with nProtect Mobile for Android for mobile such as malicious file stated above and runs responding system against various security threats.