[Warning] Android malicious applications that operate without user awareness are increasing.

1. Introduction

According to increasing smartphone security threats, malicious applications are generated continuously.
To extend life cycle of malicious application itself, it uses various techniques.
One of the most prevalent techniques is working on background.
Malicious application which is working on background, tries to send SMS and collects information are increasing.



2. Spreading path and symptoms of infection

Since this malicious application hasn't been spread in Korea, special damage case hasn't been reported so far.
This malicious application can spread via various black markets and 3rd party markets and can require various permissions as following.

* Features on installation and granting permission

* Permission explanations
- android:name="android.permission.SEND_SMS"
- android:name="android.permission.READ_SMS"
- android:name="android.permission.WRITE_SMS"
- android:name="android.permission.RECEIVE_SMS"
- android:name="android.permission.DEVICE_POWER"
- android:name="android.permission.WRITE_APN_SETTINGS"
- android:name="android.permission.ACCESS_NETWORK_STATE"
- android:name="android.permission.BROADCAST_PACKAGE_REMOVED"
- android:name="android.permission.BROADCAST_PACKAGE_ADDED"
- android:name="android.permission.ACCESS_WIFI_STATE"
- android:name="android.permission.CHANGE_WIFI_STATE"
- android:name="android.permission.WAKE_LOCK"
- android:name="android.permission.INTERNET"
- android:name="android.permission.WRITE_EXTERNAL_STORAGE"
- android:name="android.permission.READ_PHONE_STATE"
- android:name="android.permission.KILL_BACKGROUND_PROCESSES

Malicious application always asks permissions related system internal information such as "SMS", "PHONE_STATE".
"KILL_BACKGROUND_PROCESSES" is for killing background processes.

Because "LAUNCHER" of Main activity is not defined, this malicious application doesn't have run icon.
This kind of malicious application can be found on "Third-party" on its installation status.

* Malicious behaviors

This malicious application can send SMS for advertisement and can collect contacts, IMSI and so on.
Furthermore, collected information can be leaked to certain external URL. Following code shows collecting IMEI, model name, Android platform and SDK version, and contacts.

Sending SMS function
 


A. Sends SMS



B. Sends MMS



On certain condition, it can send SMS or MMS.


 
Furthermore, this malicious application can collect running application list and can terminate running application.



With the code above, we can confirm that this can kill running application.

※ Method "killBackgroundProcesses()" can terminate process version 2.2 or higher, however, method "restartPackage()" can terminate process 2.1 or lower version.

3. How to prevent

To use PC safely from security threats of these malicious files, we recommend following "Security management tips" for general users.

Security management tips

1. Maintain the latest security update on OS and applications
2. Use anti-virus SW from believable security company and keep updating the latest engine and using real time detecting function
3. Do not see and download attached file from suspicious e-mail.
4. Keep caution to link from instant messenger and SNS.
5. Execute downloaded file after scan with anti-virus SW.

INCA Internet (Security Response Center / Emergency Response Team) provides diagnosis/treatment function with nProtect Anti-Virus/Spyware for detecting such as malicious file stated above and runs responding system against various security threats.

Diagnosis name

 - Trojan-SMS/Android.AdSms.F