[Issue] Zombie phone on calling for Korean user?

1. Introduction

INCA Internet response team announced malicious file report about containing bot function.
Damage case of this kind of Android malicious files hasn't been reported so far, though; this malicious file can work as a Zombie phone which can perform data breach and remote control.
Especially, this malicious file can check Korean APN(Access Point Name) and has a possibility of spreading its infection range to Korea.

- Check Korean APN
- Zombie phone can breach your data
- DDoS Attack, Spreading malicious spam, Record voice call

[Caution] Real case of spreading Android malicious file

[Information] Automatic detection and analysis system of malicious Android application 

2. Spreading cases and symptom of infection

Android malicious applications are spreading via 3rd party market, various black markets, and even on Google official market. Opened platform is a merit of Android, however; various security threats can be menace. In case of this malicious application was come from Chinese unofficial Android market.

Install phase

This malicious application needs various permissions as following.


- android:name="android.permission.READ_PHONE_STATE"
- android:name="android.permission.MODIFY_PHONE_STATE"
- android:name="android.permission.CALL_PHONE"
- android:name="android.permission.PROCESS_OUTGOING_CALLS"
- android:name="android.permission.RECORD_AUDIO"
- android:name="android.permission.CAMERA"
- android:name="android.permission.MODIFY_AUDIO_SETTINGS"
- android:name="android.permission.READ_CONTACTS"
- android:name="android.permission.WRITE_CONTACTS"
- android:name="android.permission.RECEIVE_BOOT_COMPLETED"
- android:name="android.permission.SEND_SMS"
- android:name="android.permission.RECEIVE_SMS"
- android:name="android.permission.READ_SMS"
- android:name="android.permission.WRITE_SMS"
- android:name="android.permission.INTERNET"
- android:name="android.permission.ACCESS_COARSE_LOCATION"
- android:name="android.permission.ACCESS_FINE_LOCATION"
- android:name="android.permission.ACCESS_LOCATION_EXTRA_COMMANDS"
- android:name="android.permission.ACCESS_MOCK_LOCATION"
- android:name="android.permission.UPDATE_DEVICE_STATS"
- android:name="android.permission.WAKE_LOCK"
- android:name="android.permission.DEVICE_POWER"
- android:name="android.permission.WRITE_SETTINGS"
- android:name="android.permission.DISABLE_KEYGUARD"
- android:name="android.permission.WRITE_EXTERNAL_STORAGE"
- android:name="android.permission.READ_LOGS"
- android:name="android.permission.KILL_BACKGROUND_PROCESSES"
- android:name="android.permission.RESTART_PACKAGES"
- android:name="android.permission.ACCESS_NETWORK_STATE"
- android:name="android.permission.WRITE_APN_SETTINGS"
- android:name="android.permission.BLUETOOTH"

This malicious application uses its main icon as same as Google's. It doesn't have its executing icon, however;

We can find on "Settings" -> "app" -> "manage"


Analysis of malicious function

This malicious application doesn't have its run icon and only runs on background.

Malicious functions

- Perform as a Bot
- Monitor SMS
- Collect information(IMEI, IMSI, GPS)
- Sends SMS to attacker(Premium service)
- Record voice call
- Capture screen
- Check APN(Access Point Name)
- Try to quit certain package
- Try to reboot on condition

- Perform as a Bot and Monitor SMS

In case of Bot function, it can be performed on certain condition(string).

When certain SMS is received, code will work and check condition and perform malicious function..

- Collects information

This malicious file collects IMEI, IMSI, and GPS with following code.

Besides, collected information will be sent to certain site after being XML parsed.

- Sends SMS to attacker

This malicious application sends SMS including collected information and run status of code.

With this code above, it removes send history itself. User can't recognize its sending status.

- Record voice call

This malicious application check voice call status with listener after being infected, and it records voice call on certain condition as a .amr file.

- Capture screen

This malicious application registers malicious service and tries to capture screen as a .jpg.

- Check APN(Access Point Name)

This malicious application checks APN and settings with following code.

APN(Access Point Name)

- Access Point Name (APN) is a configurable network identifier used by a mobile device when connecting to a GSM carrier. The carrier will then examine this identifier to determine what type of network connection should be created, for example: what IP addresses should be assigned to the wireless device, what security methods should be used, and how or if, it should be connected to some private customer network.

Parsed XML contains various APNs including Korean APN(web.sktelecom.com, ktfwing.com).

APN address on this app

- http://mmsc.monternet.com
- http://mmsc.myuni.com
- http://www.wo.com.cn
- http://mmsc.vnet.mobi
- http://mms.emome.net

- http://mms.catch.net.tw
- http://mms.kgtmms.net.tw/mms/wapenc

- http://mms.peoples.com.hk
- http://mobile.three.com.hk
- http://3gmms.pccwmobile.com
- http://mms.smartone-vodafone.com

- http://always.ktfwing.com
- http://mmsc.ktfwing.com
- web.sktelecom.com
- smart.nate.com
- http://omms.nate.com

- Try to quit certain package

This malicious application can kill on certain application with this following code.

However, this API works on SDK 2.1 or lower version.

- Try to reboot on condition

To work completely, this malicious application needs to be rebooted. "android.permission.REBOOT" can work rooted phone only.

3. How to prevent

This malicious application tested on Android phone in Korea. But it didn't perform all malicious functions.

Test environment

- GalaxyS (Gingerbread or higher)
- GalaxyS2 (Gingerbread or higher)
- Nexus one (Gingerbread or higher)

To use smartphone safely from security threats of these malicious applications, we recommend following tips "Smartphone security management tips" for general users.

Smartphone security management tips

1. Use anti-virus SW from believable security company and keep updating the latest engine and using real time detecting function
2. Download the proven application by multiple users at all times.
3. Use mobile anti-virus SW to check downloaded application before using it.
4. Do not visit suspicious or unknown site via smartphone.
5. Try not to see MMS, text, e-mail from uncertain user.
6. Set strong password on smartphone always.
7. Turn the wireless interfaces like Bluetooth only be used.
8. Do not save important information on phone.
9. Do not try illegal customizing like rooting or jailbreak.

INCA Internet (Security Response Center / Emergency Response Team) provides diagnosis/treatment function with "nProtect Mobile for Android" for mobile such as malicious file stated above and runs responding system against various security threats.


  1. telephone voice recording system

    Excellent Blog every one can get lots of information for any topics from this blog nice work keep it up.

  2. Visit this source http://spying.ninja/mspy/to get even more understanding how does the malware works and how to protect yourself from being hacked.

  3. Thank you for sharing! I hope you will continue to have great articles like this to share with me. Most of the times, students get stressed due to their assignments.so thanks for this interesting blog.
    Data Structure Assignment Help

  4. The assignment service provides Assignment help online; our best and professional assignment writers deliver on time and plagiarism free.

  5. One way that smartphone addiction can wreak havoc on us is by causing sleep deprivation...... www.liteblue.usps.gov & uwgw walmartone guide

  6. Hi, I just became aware of your blog through Google and found that it is really informative. I'll be careful in Brussels. I will be grateful if you continue this in future. Many people will be benefited from your writing. I am the best app developer Dubai, well known for mobile application development. I always working on the latest technology and create Advanced IOS and Android apps.

  7. Such wonderful blogs with almost all the current scenarios intact. If you are looking for the top Freelance web developer, look no further as I am providing the best Freelance web designing services ever in town! Here you will get all the top responsive websites with easy navigation accompanied with the latest trends and designs, the top Web developer and Web Designer is known for its exceptional techniques worldwide. As a Web Designer in NYC I will promote your company and its product and services like no other! 


  8. شركة اصباغ الكويت اصباغ الكويت
    شراء اثاث مستعمل الكويت شركة شراء اثاث مستعمل الكويت
    فني كهربائي منازل الكويت كهربائي منازل بالكويت

  9. Searching for the best fitness band india under 5000 with the Great Offers. Easy
    & Fast Delivery. best fitness bands under 5000

  10. Wales publications are well-known publishing solution providers in various disciplines in the UK, Wales Publications serving to scientific organizations worldwide. Contact us for further information and know our best services and deals to achieve your goal.The fast submission process includes rapid publication research in UK that includes unique rapid process, inhouse peer review and 100% acceptance guarantee.

  11. One stop for artists if you're looking for good modeling jobs, dancing, singing anchor jobs, freelance influencers jobs and other artists jobs. jobs for models

  12. Best offer to buy unique gifts items. Buy thoughtful gift items for your brother sister, parents, grandma, grandpa and others. Buy gifts for your Christmas. gifts for brother

  13. One stop for all your latest viral news trending gossips, trending tweets on Twitter and all other trending youtube videos across India. trending news in india

  14. Not getting the best quotes and thought on inspirational, success, attitude, love, good morning, life, funny, sad, friendship quotes this is the place where you can get. motivational stories in hindi

  15. Hello, This is very Helpful Content. this article really getting me an aspiration to do the same as you
    Mobile App Development Company in Dubai

  16. Thank you for every other great article. Where else may just anybody get that type of information in such a perfect approach of writing?
    I have a presentation subsequent week, and I'm at the look for such information.

    Website Designing Company in Delhi
    Website Designing Company in Noida
    Website Development Company in Noida

  17. Looking for the best convection microwave oven in India under 10000 for your kitchen and start
    cooking. best microwave convection oven in india