INCA Internet response team announced malicious file report about containing bot function.
Damage case of this kind of Android malicious files hasn't been reported so far, though; this malicious file can work as a Zombie phone which can perform data breach and remote control.
Especially, this malicious file can check Korean APN(Access Point Name) and has a possibility of spreading its infection range to Korea.
[Caution] Real case of spreading Android malicious file
[Information] Automatic detection and analysis system of malicious Android application
2. Spreading cases and symptom of infection
Android malicious applications are spreading via 3rd party market, various black markets, and even on Google official market. Opened platform is a merit of Android, however; various security threats can be menace. In case of this malicious application was come from Chinese unofficial Android market.
This malicious application needs various permissions as following.
This malicious application uses its main icon as same as Google's. It doesn't have its executing icon, however;
We can find on "Settings" -> "app" -> "manage"
Analysis of malicious function
This malicious application doesn't have its run icon and only runs on background.
- Perform as a Bot and Monitor SMS
In case of Bot function, it can be performed on certain condition(string).
- Collects information
This malicious file collects IMEI, IMSI, and GPS with following code.
Besides, collected information will be sent to certain site after being XML parsed.
- Sends SMS to attacker
This malicious application sends SMS including collected information and run status of code.
With this code above, it removes send history itself. User can't recognize its sending status.
- Record voice call
This malicious application check voice call status with listener after being infected, and it records voice call on certain condition as a .amr file.
- Capture screen
This malicious application registers malicious service and tries to capture screen as a .jpg.
- Check APN(Access Point Name)
This malicious application checks APN and settings with following code.
Parsed XML contains various APNs including Korean APN(web.sktelecom.com, ktfwing.com).
- Try to quit certain package
This malicious application can kill on certain application with this following code.
However, this API works on SDK 2.1 or lower version.
- Try to reboot on condition
To work completely, this malicious application needs to be rebooted. "android.permission.REBOOT" can work rooted phone only.
3. How to prevent
This malicious application tested on Android phone in Korea. But it didn't perform all malicious functions.
To use smartphone safely from security threats of these malicious applications, we recommend following tips "Smartphone security management tips" for general users.
INCA Internet (Security Response Center / Emergency Response Team) provides diagnosis/treatment function with "nProtect Mobile for Android" for mobile such as malicious file stated above and runs responding system against various security threats.