[Information] Android applications without run icon

1. Introduction

Generally, to run app, we click shortcut button, however; some malicious apps doesn't include its run icon.
In this case, users can't recognize when this app run. For malicious app creators, hiding run icon is booming. Therefore, we have to check whether this application has its run icon or not after install applications.
This malicious application doesn't intend to be created for malicious way though, it doesn't have its run icon.

[Issue] Zombie phone on calling for Korean user? 

2. Spreading cases and symptom of infection

In case of this malicious application, APK file spreads via file-sharing site and web page.
We can download malicious application and manual on creator's web page.


This malicious application needs permissions as following.


- android:name="android.permission.GET_TASKS"
- android:name="android.permission.RECEIVE_BOOT_COMPLETED"
- android:name="android.permission.INTERNET"
- android:name="android.permission.CALL_PHONE"
- android:name="android.permission.READ_CONTACTS"
- android:name="android.permission.WRITE_CONTACTS"
- android:name="android.permission.PROCESS_OUTGOING_CALLS"
- android:name="android.permission.RECEIVE_SMS"
- android:name="android.permission.READ_SMS"
- android:name="android.permission.WRITE_SMS"
- android:name="android.permission.ACCESS_FINE_LOCATION"
- android:name="android.permission.ACCESS_COARSE_LOCATION"
- android:name="android.permission.READ_PHONE_STATE"
- android:name="com.android.browser.permission.READ_HISTORY_BOOKMARKS"
- android:name="android.permission.MODIFY_PHONE_STATE"
- android:name="android.permission.WRITE_EXTERNAL_STORAGE"
- android:name="android.permission.WRITE_SETTINGS"
- android:name="android.permission.WAKE_LOCK"
- android:name="android.permission.DISABLE_KEYGUARD"
- android:name="android.permission.VIBRATE"
- android:name="android.permission.MODIFY_AUDIO_SETTINGS"

After installation, it doesn't create run icon. So, user can find installation status on "settings" -> "application" -> "management".

Malicious function analysis

Malicious functions

- Monitor SMS
- Collect GPS information
- Collect call history
- Collect internet usage information
- Collect information(IMEI, Android OS SDK)
- Collect account information(ID/PW)
- Try to send information to external server
- Other symptoms(battery drains)

To perform malicious functions, users have to sign in on certain web site. Mobile site is as following.

Creating account is easy to make.

This malicious application uses client activation with registering several broadcast receiver. At this time, certain calling number(#123456*) will be followed when detecting "phone calling event". To meet condition, calling to certain number(#123456*) will activate malicious application and create DB file(SPYOO.db).

At the same time, this malicious application shows setting page.

Fill the blank and click "Login", this malicious application will execute malicious service in its inside. Due to these malicious services, all leaked information will be redirected to creator's webpage. Following figure shows processes information on running malicious service.

Besides, this malicious application can customize in Setting menu. Following elements can be modified.

As you can see in "Setting", you can change various settings.

In case of GPS, detail settings can be modified. Clicking "Exit" after modified setting will make receiver and service run on background. After activating process of this malicious application,  it will collect SMS, GPS, call history, internet usage, IMEI, SDK versions.

Following image is DB status.


Collected information will be recorded in DB and leaked external site with following code.

Following figure is debugging screen on leaking.

Collected information can be found on creator's home page.

Not only GPS information, SMS, call history, and internet usage information can be searched. But SMS, call history, and internet usage can be seen after payment.

Main effects of this malicious application are collecting and leaking information and battery drain. This malicious application use WakeLock for using on background. To be safe from battery drain, users need to release acquire().

3. How to prevent

These 3 reasons "Needs simple information for make account", "Needs short time to authenticate" and "Has no run icon" are proof of its malicious file. To use smartphone safely from security threats of these malicious applications, we recommend following tips "Smartphone security management tips" for general users.

Smartphone security management tips

1. Use anti-virus SW from believable security company and keep updating the latest engine and using real time detecting function.
2. Download the proven application by multiple users at all times.
3. Use mobile anti-virus SW to check downloaded application before using it.
4. Do not visit suspicious or unknown site via smartphone.
5. Try not to see MMS, text, e-mail from uncertain user.
6. Set strong password on smartphone always.
7. Turn the wireless interfaces like Bluetooth only be used.
8. Do not save important information on phone.
9. Do not try illegal customizing like rooting or jailbreak.

INCA Internet (Security Response Center / Emergency Response Team) provides diagnosis/treatment function with “nProtect Mobile for Android” for mobile such as malicious file stated above and runs responding system against various security threats.