12345

4/25/2012

[Information] Android applications without run icon


1. Introduction


Generally, to run app, we click shortcut button, however; some malicious apps doesn't include its run icon.
In this case, users can't recognize when this app run. For malicious app creators, hiding run icon is booming. Therefore, we have to check whether this application has its run icon or not after install applications.
This malicious application doesn't intend to be created for malicious way though, it doesn't have its run icon.

[Issue] Zombie phone on calling for Korean user? 
http://en-erteam.nprotect.com/2012/04/issue-zombie-phone-on-calling-for.html

2. Spreading cases and symptom of infection

In case of this malicious application, APK file spreads via file-sharing site and web page.
We can download malicious application and manual on creator's web page.


Install

This malicious application needs permissions as following.


Permissions

- android:name="android.permission.GET_TASKS"
- android:name="android.permission.RECEIVE_BOOT_COMPLETED"
- android:name="android.permission.INTERNET"
- android:name="android.permission.CALL_PHONE"
- android:name="android.permission.READ_CONTACTS"
- android:name="android.permission.WRITE_CONTACTS"
- android:name="android.permission.PROCESS_OUTGOING_CALLS"
- android:name="android.permission.RECEIVE_SMS"
- android:name="android.permission.READ_SMS"
- android:name="android.permission.WRITE_SMS"
- android:name="android.permission.ACCESS_FINE_LOCATION"
- android:name="android.permission.ACCESS_COARSE_LOCATION"
- android:name="android.permission.READ_PHONE_STATE"
- android:name="com.android.browser.permission.READ_HISTORY_BOOKMARKS"
- android:name="android.permission.MODIFY_PHONE_STATE"
- android:name="android.permission.WRITE_EXTERNAL_STORAGE"
- android:name="android.permission.WRITE_SETTINGS"
- android:name="android.permission.WAKE_LOCK"
- android:name="android.permission.DISABLE_KEYGUARD"
- android:name="android.permission.VIBRATE"
- android:name="android.permission.MODIFY_AUDIO_SETTINGS"

After installation, it doesn't create run icon. So, user can find installation status on "settings" -> "application" -> "management".




Malicious function analysis

Malicious functions

- Monitor SMS
- Collect GPS information
- Collect call history
- Collect internet usage information
- Collect information(IMEI, Android OS SDK)
- Collect account information(ID/PW)
- Try to send information to external server
- Other symptoms(battery drains)

To perform malicious functions, users have to sign in on certain web site. Mobile site is as following.


Creating account is easy to make.

This malicious application uses client activation with registering several broadcast receiver. At this time, certain calling number(#123456*) will be followed when detecting "phone calling event". To meet condition, calling to certain number(#123456*) will activate malicious application and create DB file(SPYOO.db).


At the same time, this malicious application shows setting page.


Fill the blank and click "Login", this malicious application will execute malicious service in its inside. Due to these malicious services, all leaked information will be redirected to creator's webpage. Following figure shows processes information on running malicious service.


Besides, this malicious application can customize in Setting menu. Following elements can be modified.


As you can see in "Setting", you can change various settings.


In case of GPS, detail settings can be modified. Clicking "Exit" after modified setting will make receiver and service run on background. After activating process of this malicious application,  it will collect SMS, GPS, call history, internet usage, IMEI, SDK versions.


Following image is DB status.

 

Collected information will be recorded in DB and leaked external site with following code.


Following figure is debugging screen on leaking.


Collected information can be found on creator's home page.


Not only GPS information, SMS, call history, and internet usage information can be searched. But SMS, call history, and internet usage can be seen after payment.

Main effects of this malicious application are collecting and leaking information and battery drain. This malicious application use WakeLock for using on background. To be safe from battery drain, users need to release acquire().

3. How to prevent

These 3 reasons "Needs simple information for make account", "Needs short time to authenticate" and "Has no run icon" are proof of its malicious file. To use smartphone safely from security threats of these malicious applications, we recommend following tips "Smartphone security management tips" for general users.

Smartphone security management tips

1. Use anti-virus SW from believable security company and keep updating the latest engine and using real time detecting function.
2. Download the proven application by multiple users at all times.
3. Use mobile anti-virus SW to check downloaded application before using it.
4. Do not visit suspicious or unknown site via smartphone.
5. Try not to see MMS, text, e-mail from uncertain user.
6. Set strong password on smartphone always.
7. Turn the wireless interfaces like Bluetooth only be used.
8. Do not save important information on phone.
9. Do not try illegal customizing like rooting or jailbreak.

INCA Internet (Security Response Center / Emergency Response Team) provides diagnosis/treatment function with “nProtect Mobile for Android” for mobile such as malicious file stated above and runs responding system against various security threats.

9 comments:

  1. Nice, accurate and to the point. Not everyone can provide information with proper flow.

    ReplyDelete
  2. Stop looking for an application and have a glimpse at weblink for spy software info

    ReplyDelete
  3. I think that this https://nerdymates.com/blog/asa-format-citation link will provide you with more useful details!

    ReplyDelete
  4. شركة اصباغ الكويت اصباغ الكويت
    شراء اثاث مستعمل الكويت شركة شراء اثاث مستعمل الكويت
    فني كهربائي منازل الكويت كهربائي منازل بالكويت

    ReplyDelete
  5. Wales publishers are offering optimized, Best Publication Services in UK to boost the researcher and research communities, by providing accelerated and efficient services to fasten the publishing process and to give more opportunities for research on different disciplines.Wales publication research conferences give the researchers an international platform to discuss their scientific research Open Access Publishing UK work and their edges.We are different from other conferences because the community's member organizes our conferences.

    ReplyDelete
  6. Welcome to the roundup of the best new Android applications and live wallpapers that went live in the Play Store or were spotted by us in the previous two weeks or so. Today's roundup is sponsored by CallApp, an excellent caller identifier and blocking tool that also offers call recording. Of course, we also have a few more titles to share with everyone today, such as Proton Calendar, a new calendar app from the creators of ProtonMail. We also have an app that allows you to run ADB shell commands locally without root. So without further ado, here are all of the new and notable Android apps released on the Play Store in the last two weeks. for more information G. W. Jones Exchange Bank login
    Garden Plain State Bank login



    ReplyDelete