12345

12/02/2011

[Information] Android malicious application in Europe

1. Introduction

In case of Android malicious applications, which have been found so far, aimed to Chinese or Russian smartphone users.
However, another type of Android malicious application which targets various countries including Europe has been reported.
Malicious functions are as usual as we reported before. But the target has been changed.



2. Spreading path and symptoms of infection

This malicious application can spread via various black markets and 3rd party markets and can require various permissions as following.


* Permission explanations

- android:name="android.permission.INSTALL_PACKAGES"
- android:name="android.permission.USE_CREDENTIALS"
- android:name="android.permission.INTERNET"
- android:name="android.permission.BLUETOOTH_ADMIN"
- android:name="android.permission.DEVICE_POWER"
- android:name="android.permission.READ_CONTACTS"
- android:name="android.permission.SEND_SMS"
- android:name="android.permission.RECEIVE_SMS"
- android:name="android.permission.ACCESS_GPS"
- android:name="android.permission.ACCESS_LOCATION"

This malicious application shows only 2 permissions as following.
After the installation, this run screen on following figure will be shown.


 
* Run Icon


* Run Screen




This malicious application shows the message "Android version is not compatible".
But it contains malicious function with its code inside.

* Malfunction

- Set country code and use premium SMS service

This malicious application registers 1 Receiver to manage SMS, and can set high priority.



* Receiver activating condition.

* If checked

- "android.provider.Telephony.SMS_RECEIVED"



Upon executed this malicious application, it will get country code from SIM card.
It contains 8 countries code as following "France, Belgium, Swiss, Luxembourg, Canada, Germany, Spain, and England" and tries to send SMS on premium service number.



* Code on country code


* Code on sending premium SMS after checking country code





After the checking country code process, it will send premium SMS secretly and will be received reply SMS. At this time, registered receiver will check received SMS and will forward to certain number(0646112264) and set black list(0646112264).


Since this process intercepts interaction between victim and premium SMS number, infected user can't recognize this ongoing process.

3. How to prevent

Its malicious function doesn't different against we mentioned before, however, its changing target from China or Russia to European countries is noticeable. To use smartphone safely from security threats of these malicious applications, we recommend following tips "Smartphone security management tips" for general users.

* Smartphone security management tips

1. Use anti-virus SW from believable security company and keep updating the latest engine and using real time detecting function
2. Download the proven application by multiple users at all times.
3. Use mobile anti-virus SW to check downloaded application before using it.
4. Do not visit suspicious or unknown site via smartphone.
5. Try not to see MMS, text, e-mail from uncertain user.
6. Set strong password on smartphone always.
7. Turn the wireless interfaces like Bluetooth only be used.
8. Do not save important information on phone.
9. Do not try illegal customizing like rooting or jailbreak.

INCA Internet (Security Response Center / Emergency Response Team) provides diagnosis/treatment function with “nProtect Mobile for Android” for mobile such as malicious file stated above and runs responding system against various security threats.

No comments:

Post a Comment