12345

8/18/2011

[Warning] Repackaged Android's malicious apps to send spam SMS

1. Introduction

Since repackaged Android's malicious app to send spam SMS has been found recently, user who using Android's phone needs to be careful about its malicious behavior. Upon infected, it can send a bunch of spam SMS' quietly, so that it can make user pay for its sending.
These days' symptoms of malicious infected have being changed from collecting information to financial damage.




  



2. Spreading path and symptoms of infection

This repackaged malicious application can spread via various black markets and 3rd party markets and can require various permissions as following.


  
* Malicious application's requiring permissions



* Normal application's requiring permissions



* Permission explanation

- android:name="android.permission.VIBRATE"
- android:name="android.permission.INTERNET"
- android:name="android.permission.ACCESS_COARSE_LOCATION"
- android:name="android.permission.READ_PHONE_STATE"
- android:name="android.permission.SEND_SMS"
- android:name="android.permission.WRITE_SMS"
- android:name="android.permission.READ_CONTACTS"
- android:name="android.permission.RECEIVE_BOOT_COMPLETED"



Besides, we can distinguish between normal/malicious applications with these icons after installation.



* Malicious application's icon



* Normal application's icon



In case of malicious application, the word "BETA" on its icon was misprinted as a "PETA".
But, in real one, it inscribed normally.

Furthermore, we can find difference between Normal/Malicious applications on "Application info".



4.68MB is the real one.


  
After the installation, both applications are running as looked same. That's one of big features of repackaged applications.



* Detailed analysis

This malicious application is the type of repackaged application.
Following figure is the tree of folder structure.



If infected, additional malicious package, "dogbite", will work as a service and can cause following symptoms.

* Infected symptoms

1. Collected numbers in contact
2. Sends numbers of SMS'
3. Sends SMS to a certain number

Following code is the detail of "Collect Phone Number" and "Send SMS".



There are 2 types of sending SMS.

One is sending certain sentence ("I take pleasure in hurting small animals, just thought you should know that") after collecting numbers in contact.
Another is send SMS to certain premium service number in its inside.

3. How to prevent

In case of this malicious application, it can work malicious behavior with just adding additional code to send SMS.
The structure looks simple; however, malicious functions are hard to be detected as a normal user.
To use smartphone safely from security threats of these malicious applications, we recommend following tips "Smartphone security management tips" for general users.

Smartphone security management tips

1. Use anti-virus SW from believable security company and keep updating the latest engine and using real time detecting function
2. Download the proven application by multiple users at all times.
3. Use mobile anti-virus SW to check downloaded application before using it.
4. Do not visit suspicious or unknown site via smartphone.
5. Try not to see MMS, text, e-mail from uncertain user.
6. Set strong password on smartphone always.
7. Turn the wireless interfaces like Bluetooth only be used.
8. Do not save important information on phone.
9. Do not try illegal customizing like rooting or jailbreak.

INCA Internet (Security Response Center / Emergency Response Team) provides diagnosis/treatment function with nProtect Mobile for Android for mobile such as malicious file stated above and runs responding system against various security threats.

Diagnosis name

- Trojan-Spy/Android.Dogbite.A

1 comment:

  1. Excellent post and wonderful blog, I really like this type of interesting articles keep it up.

    ReplyDelete