[Information] Malicious app disguised smartphone information checking tool

1. Introduction

INCA Internet response team detected malicious application which collects smartphone information and tries to leak collected information on Chinese unofficial Android market. This malicious application is introduced as a collecting tool on smartphone; however, it collects various information and tries to leak collected information in the case of being routed. If this application gets root permission, it can connect on certain extenal server and can perform various malicious behaviors. Therefore, users need to be careful on using smartphone.



2. Spreading path and symptom of infection

This malicious file can be spread via Chinese unofficial Android markets.

Of course, this app hasn't appear in Korea so far. But this app can be installed in Android smartphone.

This malicious application requires following permissions

Requiring permissions

- android:name="android.permission.READ_PHONE_STATE"

- android:name="android.permission.INSTALL_PACKAGES"

- android:name="android.permission.DELETE_PACKAGES"

- android:name="android.permission.ACCESS_NETWORK_STATE"

- android:name="android.permission.ACCESS_COARSE_LOCATION"

- android:name="android.permission.INTERNET"

- android:name="android.permission.ACCESS_FINE_LOCATION"

Besides, this application will create icon as following after complete installation.

Malicious behaviors

- Require root permission on rooted smartphone

- Install additional malicious application

- Collect smartphone device information and try to leak

If infected smartphone is rooted, malicious application will require root permission.

This malicious application registers one receiver and one service. It can work following malicious behaviors.

Malicious behaviors of receiver and service

::Receiver(PR.class)
- It monitors installation status of malicious application(audio.service.apk) with broadcase receiver.
- It starts this application after installed additional malicious application

::Service(IS.class)
- It checks rooting status.
- It requires root permission if routed.

Additional malicious application is located in malicious file with encrypted which can be installed after decrypted with following code.

Furthermore, it will collects smartphone device information with following code.

Collected smartphone device information can be shown on user with image files.

Besides, collected information can be leaked on certain external site with following code.

Following figures are the collected information and external site.

Collected and being leaked smartphone device information

- IMEI

- IMSI

- GPS info(CELL type)

- SIM status(Communication available statue)

- Network provider info

- Roaming status

External site URL

- http://svr.[~~].com/Notice/

Malicious behavior of audio.service.apk(Additionally downloaded malicious file)

This additional malicious application also works similar as previous malicious application.

Malicious behaviors of audio.service.apk

- Check rooting status

- Collect smartphone device info and leak to external site

But, additionally installed malicious application collects little different information.

Collected smartphone device info

- IMEI

- IMSI

- GPS info(CELL type)

- Smartphone model info

- SDK info

- Version info(2.01)

- Network status info(3G, LTE, WIFI)

URL of external site

- http://svr.(~~~).com/Foreuner/

3. How to prevent

Working malicious application after get route permission can modify device. Therefore, it can cause downloading additional malicious application or send premium SMS. To use smartphone safely from security threats of these malicious applications, we recommend following tips "Smartphone security management tips" for general users.

Smartphone security management tips

1. Use anti-virus SW from believable security company and keep updating the latest engine and using real time detecting function.
2. Download the proven application by multiple users at all times.
3. Use mobile anti-virus SW to check downloaded application before using it.
4. Do not visit suspicious or unknown site via smartphone.
5. Try not to see MMS, text, e-mail from uncertain user.
6. Set strong password on smartphone always.
7. Turn the wireless interfaces like Bluetooth only be used.
8. Do not save important information on phone.
9. Do not try illegal customizing like rooting or jailbreak.

INCA Internet (Security Response Center / Emergency Response Team) provides diagnosis/treatment function with “nProtect Mobile for Android” for mobile such as malicious file stated above and runs responding system against various security threats.


Diagnosis name

- Backdoor/Android.Xsider.A
- Backdoor/Android.Xsider.B