12345

8/03/2011

[Warning] Malicious application for recording voice call

1. Introduction

Recently, large data breach in South Korea is a big issue. Personal information is one of the most important information and core as itself. Leakage of that information is used for financial benefit mainly. In other words, for someone who was stolen his information, it can be damaged financially and psychologically.
In the midst of this situation, malicious application to steal various information of smartphone targeting for Chinese was found.


Therefore, general user needs to be careful about being infected malicious file from those malicious file.
  


2. Spreading path and symptoms of infection

Several variants of this malicious application are still being found; it spreads via black market and 3rd party market and can require various permissions as following.



* Permission explanations

- android:name="android.permission.CALL_PHONE"
- android:name="android.permission.PROCESS_OUTGOING_CALLS"
- android:name="android.permission.INTERNET"
- android:name="android.permission.ACCESS_GPS"
- android:name="android.permission.ACCESS_COARSE_LOCATION"
- android:name="android.permission.ACCESS_COARSE_UPDATES"
- android:name="android.permission.ACCESS_FINE_LOCATION"
- android:name="android.permission.READ_PHONE_STATE"
- android:name="android.permission.READ_CONTACTS"
- android:name="android.permission.WRITE_CONTACTS"
- android:name="android.permission.ACCESS_WIFI_STATE"
- android:name="android.permission.PERMISSION_NAME"
- android:name="android.permission.SEND_SMS"
- android:name="android.permission.READ_SMS"
- android:name="android.permission.WRITE_SMS"
- android:name="android.permission.WAKE_LOCK"
- android:name="android.permission.RECORD_AUDIO"
- android:name="android.permission.WRITE_EXTERNAL_STORAGE"
- android:name="android.permission.DEVICE_POWER"

In case of this malicious application, you cannot find execution icon but you can find installation status at "Manage Applications".



* Detailed Analysis

This malicious application, if infected, can cause those symptoms as following.


* Infected symptoms

1. Acquires smartphone information including IMEI
2. Acquires SMS information
3. Saves certain information on SD
4. Sends SMS(Text message)
5. Collects user's place and activates GPS function
6. Sends collected information to external web site
7. Collects call history
8. Records voice call
9. Runs at background

This malicious application will register 2 receivers (BootReceiver, AlarmReceiver). BootReceiver can run this application on background after inherited BroadcastReceiver. And can still run while locked with using WakeLock
.
This malicious application collects information with using IMEI information collecting code and can send that information to the certain number with this following code.


It contains destination number in its code.

In addition, this malicious application can work as a GPS to find user's position periodically through checking Cell ID such as following code.



Besides, this malicious application can record voice call after checking smartphone's status.



Furthermore, it can seize call history with using "android.provider.CallLog.Calls.CONTENT_URI", various source, and permissions. And collected call history will be saved at SD card and can be transferred through specific port.

* Saving path in SDcard for collected information

- /sdcard/shangzhou/callrecord/

* External certain URL to be received collected information

- jin.(~).com(Port : 2018)
- Accessing to the external URL has been being tried periodically through SocketService, AlarmManager.

3. How to prevent

This malicious application is expected from Chinese with these reasons including used Chinese Locale(China, Simplified).

However, these malicious applications can be downloaded from black market and 3rd party market and repackaged; user needs to be careful while downloading these applications.

General user can hardly notice something happened in his PC while spreading malicious file with using social engineering.
To use smartphone safely from security threats of these malicious applications, we recommend following tips "Smartphone security management tips" for general users.

Smartphone security management tips

1. Use anti-virus SW from believable security company and keep updating the latest engine and using real time detecting function
2. Download the proven application by multiple users at all times.
3. Use mobile anti-virus SW to check downloaded application before using it.
4. Do not visit suspicious or unknown site via smartphone.
5. Try not to see MMS, text, e-mail from uncertain user.
6. Set strong password on smartphone always.
7. Turn the wireless interfaces like Bluetooth only be used.
8. Do not save important information on phone.
9. Do not try illegal customizing like rooting or jailbreak.

INCA Internet (Security Response Center / Emergency Response Team) provides diagnosis/treatment function with nProtect Mobile for Android for mobile such as malicious file stated above and runs responding system against various security threats.

Diagnosis name

- Trojan-Spy/Android.NickiSpy.A
- Trojan-Spy/Android.NickiSpy.B
- Trojan-Spy/Android.NickiSpy.C


1 comment: