12345

1/10/2012

[Warning] Android malicious file on Japanese porn site

1. Information

Few days ago, Android's malicious application's spread through file sharing site was big issue.
Officially, this was the first case of being found. INCA Internet Security Response Center's Emergency Response Team has detected malicious file aiming at Japanese users, so we want to share about that.
This malicious application has same symptom as found before in Korea.



Though, it doesn't have malicious purpose, just collecting information without user's decision can be harmful someday.

[Information] Automatic detection and analysis system of malicious Android application
http://en-erteam.nprotect.com/2011/12/information-automatic-detection-and.html

2. Spreading path and symptoms of infection

In case of this malicious APK file, there hasn't been reported specific damage case on Korea; however, it is just spreading on Japanese porn sites and it is added as a pattern of our Anti-Virus.

Spreading files through

Direct URL link on certain porn site
Disguised as an essential file on distributor's web site




Clicking URL on that site can download APK file.


User can download on Japanese porn site.


This malicious application requires some permissions as following.


Permission explanation

- android:name="android.permission.GET_ACCOUNTS"
- android:name="android.permission.INTERNET"

After installation, following run icon will be created. But it doesn't have its name.


Symptoms of infection

After the installation, executing malicious application will redirect user's page to payment.



Following is the sequence of malicious behaviors.

Malicious behaviors.

- Collects Google Email accounts
- Collects smartphone information including IMEI and contact
- Tries to leak to external site
- hxxp://(~).com/send.php?a_id=[IMEI]&telno=[telephone number]&m_addr=[Google Email account]&usr_id=[NULL]

It accesses porn site with that address and it registers receiver with following code.



We can check the receiver registering procedure. At this time, receiver checks certain service and if a certain service is performing, it tries to leak to external site.



Following capture is a procedure of dynamic debugging. Disclosure of information is forward "- hxxp://(~).com/send.php?a_id=[IMEI]&telno=[telephone number]&m_addr=[Google Email account]&usr_id=[NULL]"







3. How to prevent

In case of this malicious application, it aimed at Russia and China, however; it is spreading all over the world in these days. To use smartphone safely from security threats of these malicious applications, we recommend following tips "Smartphone security management tips" for general users.


Smartphone security management tips

1. Use anti-virus SW from believable security company and keep updating the latest engine and using real time detecting function
2. Download the proven application by multiple users at all times.
3. Use mobile anti-virus SW to check downloaded application before using it.
4. Do not visit suspicious or unknown site via smartphone.
5. Try not to see MMS, text, e-mail from uncertain user.
6. Set strong password on smartphone always.
7. Turn the wireless interfaces like Bluetooth only be used.
8. Do not save important information on phone.
9. Do not try illegal customizing like rooting or jailbreak.

INCA Internet (Security Response Center / Emergency Response Team) provides diagnosis/treatment function with “nProtect Mobile for Android” for mobile such as malicious file stated above and runs responding system against various security threats.

Diagnosis name
- Trojan/Android.Jporn.A

3 comments:

  1. Wonderful tips. All of these tips are very helpful. I have taken some of tips from here. Thanks for your great tips. Keep it up... Japanese Porn

    ReplyDelete
  2. Nice blog and this information are good for all we are geeks per hour review also give this type of services: porn movie

    ReplyDelete
  3. Peer-to-peer folder distribution; this software helps users to connect to a peer-to-peer network in order to search for folders in the public network of other users linked to the network.
    downloadshareitapp.com

    ReplyDelete