[Information] Android malicious application inducing charge for targeting various countries

1. Introduction

Various types of applications which induce additional charge for certain premium SMS were found.
This kind of premium SMS service is being operated in overseas countries.
But other kind of malicious application targeting victims in various countries has been reported in these days, and variants of this SMS related malicious applications are expected to emerge.
With increasing security threats, users need to be careful on downloading application.

2. Spreading path and symptoms of infection

This malicious application can spread via various black markets and 3rd party markets and can require various permissions as following.

* Essentials

This following figure describes permission requirement page on installation.

Since this application is packaged as an installation file, it doesn't need certain permission, but needs permission for sending SMS.

* Permission explanations

 - <uses-permission android:name="android.permission.SEND_SMS" > </uses-permission>

After the installation, this run screen on following figure will be shown.

It tries to download certain application "geared" and you can click "Next" button for downloading and installation.



* Permission requirement of "Geared"

* Run screen

In the page "Rules", it shows term and condition page as following.

We can find the word "make payment" about accessing certain contents and being paid for SMS. But this page could hardly be read usually.

One unusual thing is that both applications have different package names.

* Comparison of package names
- Malicious application : com.depositmobi
- Game application : com.scoreloop.games.geared

* Detailed analysis

Malicious function can be shown on following code.



This kind of malicious function can be activated after executed application and clicking button, victim can't notice about sending SMS.
In case of this SMS sent as a SMS Delivery code, it won't be recorded in sent box.

Besides, this malicious application will perform confirming code about operator of infected smartphone, set language based on that analysis.
"countries.cfg" for setting language and "sms.cfg" for parsing URL on downloading additional game application(geared) in "Raw" folder.

* URL for downloading game application(geared)

- http://moyandroid.net/(~~)/download.php?id

Some part of following code are country code.

3. How to prevent

This kind of SMS related malicious application is a big trend on Android's malicious applications.
In case of this malicious application, however, it has its feature that is uses various social engineering technique and targets multiple countries. To use smartphone safely from security threats of these malicious applications, we recommend following tips "Smartphone security management tips" for general users.

* Smartphone security management tips

1. Use anti-virus SW from believable security company and keep updating the latest engine and using real time detecting function
2. Download the proven application by multiple users at all times.
3. Use mobile anti-virus SW to check downloaded application before using it.
4. Do not visit suspicious or unknown site via smartphone.
5. Try not to see MMS, text, e-mail from uncertain user.
6. Set strong password on smartphone always.
7. Turn the wireless interfaces like Bluetooth only be used.
8. Do not save important information on phone.
9. Do not try illegal customizing like rooting or jailbreak.

* INCA Internet (Security Response Center / Emergency Response Team) provides diagnosis/treatment function with nProtect Mobile for Android for mobile such as malicious file stated above and runs responding system against various security threats.