12345

10/20/2011

[Warning] Identified malicious application disguised as a Battery Doctor

1. Introduction

It's a big trend for being spread malicious Android's application disguised as a normal application these days.
Upon infected, this malicious application can collect certain information and can leak to certain URL.
Therefore, users need to be careful on downloading application.
With increased users of Android, various and malicious applications are also be generated.



 2. Spreading path and symptoms of infection

This following figure describes permission requirement page on installation.




* Permission explanations

- android:name="android.permission.GET_TASKS"
- android:name="android.permission.RESTART_PACKAGES"
- android:name="android.permission.ACCESS_WIFI_STATE"
- android:name="android.permission.BLUETOOTH"
- android:name="android.permission.CHANGE_WIFI_STATE"
- android:name="android.permission.BLUETOOTH_ADMIN"
- android:name="android.permission.READ_PHONE_STATE"
- android:name="android.permission.WRITE_SETTINGS"
- android:name="android.permission.WRITE_EXTERNAL_STORAGE"
- android:name="android.permission.INTERNET"
- android:name="android.permission.ACCESS_NETWORK_STATE"
- android:name="android.permission.RECEIVE_BOOT_COMPLETED"
- android:name="android.permission.VIBRATE"
- android:name="android.permission.ACCESS_COARSE_LOCATION"
- android:name="android.permission.READ_CONTACTS"
- android:name="android.permission.GET_ACCOUNTS

After the installation, this execution icon on following figure will be generated.



* Icon


* Run screen




After the installation, this will perform following malicious behaviors.

* Malicious behaviors

- Collects IMSI
- Collects user name and e-mail account information
- Tries to leak gathered information

* Collects smartphone information

This malicious application will collect IMEI, manufacturer, and model with following code.



Collected information will be hashed as MD5 form and will be leaked to certain site.

* Collects user name and e-mail account information

This malicious application will collect user name and e-mail account information.



* Tries to leak gathered information

Furthermore, this malicious application will tries to leak gathered information to certain URL.

* External URL

http://push.(~~).com/push(~~)

3. How to prevent

To use smartphone safely from security threats of these malicious applications, we recommend following tips "Smartphone security management tips" for general users.

Smartphone security management tips

1. Use anti-virus SW from believable security company and keep updating the latest engine and using real time detecting function
2. Download the proven application by multiple users at all times.
3. Use mobile anti-virus SW to check downloaded application before using it.
4. Do not visit suspicious or unknown site via smartphone.
5. Try not to see MMS, text, e-mail from uncertain user.
6. Set strong password on smartphone always.
7. Turn the wireless interfaces like Bluetooth only be used.
8. Do not save important information on phone.
9. Do not try illegal customizing like rooting or jailbreak.

INCA Internet (Security Response Center / Emergency Response Team) provides diagnosis/treatment function with nProtect Mobile for Android for mobile such as malicious file stated above and runs responding system against various security threats.

Diagnosis name

- Trojan-Spy/Android.FakeBatteryDoctor.A

No comments:

Post a Comment