12345

12/14/2011

[Information] Malicious Android app for multiple countries

1. Introduction

 
Few days ago, a premium server SMS application for European users was big issue. The main reason of being attracted attention of that application was its range of infection. Recently, another variant of that has been reported.
In this trend, great number of malicious applications will cover all over the world.
INCA Internet Emergency Response Team can detect this and its variants and is updating.



The damage case hasn't been reported in South Korea; however, we need to be careful on using this sort of applications.

[Information] Android malicious application in Europe

http://en-erteam.nprotect.com/2011/12/information-android-malicious.html

2. Spreading path and symptoms of infection

Using official Android market is the difference of former malicious applications. Of Course it can be downloaded from black market and 3rd party market. Earlier malicious application targeted 8 countries. But this is targeting 18 countries.

*Target countries (Total 18 countries)

- Azerbaijan
- Armenia
- England
- Belarus
- Germany
- Georgia
- Israel
- Kazakhstan
- Kyrgyzstan
- Latvia
- Lithuania
- Russia
- Poland
- Tajikistan
- Ukraine
- France
- Czech Republic
- Estonia

This malicious application is inserted by various applications(Total 27apps) including "Games", "Wall Papers".


Image by Symantec Blog

* List of malicious applications officially enlisted in Android Market.

Corazon LLC:
- Horoscope (horoscope.android)
- Horoscope (com.corazon.horoscope)

Corelly LLC:
- Horoscope (com.corelly.horoscope)

Ranzy LLC:
- Twilight (com.Twilight.wallpapers)
- Puss in Boots (com.Puss.Boots.wallpapers)
- Moneyball (com.Moneyball.wallpapers)

Astrolog LLC:
- Sim City Deluxe FREE (com.astrolog.sim.city.deluxe.free)
- Need for Speed Shift FREE (com.astrolog.need.forspeed.shift.free)
- Great Little War Game FREE (com.astrolog.great.little.war.game.free)

Logastrod:
- Cut the Rope (com.Cut.the.Rope)
- Angry Birds (com.Angry.Birds)
- Assassins Creed (com.Assassins.Creed)
- Talking Tom Cat (com.Talking.Tom.Cat)
- NEED FOR SPEED Shift (com.nsf.Shift)
- Where is My Water? (com.swampy.Water)
- Great Little War Game (com.Great.little.War.Game)
- World of Goo (com.World.Goo)
- Shoot The Birds (com.Shoot.The.Birds)
- Riptide GP (com.Riptide.GP)
- Talking Larry the Bird (com.Talking.larry.Bird)
- Bag It! (com.Bag.It)
- Talking Larry the Bird (com.Talking.Larry.Bird)
- Angry Birds (com.Angry.Birds.free)

Allwing Concept:
- TETRIS (com.tetris.free)
- Pool Master Pro (com.Pool.Master.free)
- Reckless Racing (com.Reckless.Racing.free)
- Paradise Islad (com.Paradise.Island.free)

Because these malicious applications are disguised as a game or wall paper, general users can't detect it.
This malicious application works same as former premium service SMS malicious application. But it tries to download additional APK file and install as following URL(This link has been blocked.).

* APK file download URL

http://(~~)/app/riptide.apk

* Condition for download

When the country code of infected smartphone is not among 18 countries above.

Following figure is run screen.




 
This malicious application is trying to download and install additional APK file, then it scans country code of infected smartphone. If the code is existed among those 18 countries, it will send certain message to victim's phone and will remove reply from premium SMS service provider as following code.



3. How to prevent

To sum up, the biggest features of this malicious application are used Google's Android market, spreading targeting countries, and used various applications for its spreading. In case of this malicious application, it used social engineering technique for its concealment.
To use smartphone safely from security threats of these malicious applications, we recommend following tips "Smartphone security management tips" for general users.

Smartphone security management tips

1. Use anti-virus SW from believable security company and keep updating the latest engine and using real time detecting function
2. Download the proven application by multiple users at all times.
3. Use mobile anti-virus SW to check downloaded application before using it.
4. Do not visit suspicious or unknown site via smartphone.
5. Try not to see MMS, text, e-mail from uncertain user.
6. Set strong password on smartphone always.
7. Turn the wireless interfaces like Bluetooth only be used.
8. Do not save important information on phone.
9. Do not try illegal customizing like rooting or jailbreak.

INCA Internet (Security Response Center / Emergency Response Team) provides diagnosis/treatment function with “nProtect Mobile for Android” for mobile such as malicious file stated above and runs responding system against various security threats.

Diagnosis name

- Trojan-SMS/Android.EUsendSMS.A
- Trojan-SMS/Android.EUsendSMS.B


6 comments:

  1. I should say that this is a great article.

    As an Android user I very much appreciate a piece devoted to my chosen platform. The

    competition between iOS and Android should get very interesting in 2012, and I look

    forward to more insightful journalism like this!


    Android app developer

    ReplyDelete
  2. Thank you because you have been willing to share information with us. we will always appreciate all you have done here because I know you are very concerned with our. GroupMe Online

    ReplyDelete
  3. I concur with your idea. Helpful data shared. I am exceptionally upbeat to peruse this article. Much obliged for giving us pleasant data. Fabulous stroll through. I value this post. Latest APK File

    ReplyDelete
  4. NCA android app is good because you can have other things Techfileoria

    ReplyDelete