[Information] Malicious app disguised smartphone information checking tool

1. Introduction

INCA Internet response team detected malicious application which collects smartphone information and tries to leak collected information on Chinese unofficial Android market. This malicious application is introduced as a collecting tool on smartphone; however, it collects various information and tries to leak collected information in the case of being routed. If this application gets root permission, it can connect on certain extenal server and can perform various malicious behaviors. Therefore, users need to be careful on using smartphone.

2. Spreading path and symptom of infection

This malicious file can be spread via Chinese unofficial Android markets.

Of course, this app hasn't appear in Korea so far. But this app can be installed in Android smartphone.

This malicious application requires following permissions

Requiring permissions

- android:name="android.permission.READ_PHONE_STATE"
- android:name="android.permission.INSTALL_PACKAGES"
- android:name="android.permission.DELETE_PACKAGES"
- android:name="android.permission.ACCESS_NETWORK_STATE"
- android:name="android.permission.ACCESS_COARSE_LOCATION"
- android:name="android.permission.INTERNET"
- android:name="android.permission.ACCESS_FINE_LOCATION"

Besides, this application will create icon as following after complete installation.

Malicious behaviors

- Require root permission on rooted smartphone
- Install additional malicious application
- Collect smartphone device information and try to leak

If infected smartphone is rooted, malicious application will require root permission.

This malicious application registers one receiver and one service. It can work following malicious behaviors.

Malicious behaviors of receiver and service

- It monitors installation status of malicious application(audio.service.apk) with broadcase receiver.
- It starts this application after installed additional malicious application

- It checks rooting status.
- It requires root permission if routed.

Additional malicious application is located in malicious file with encrypted which can be installed after decrypted with following code.

Furthermore, it will collects smartphone device information with following code.

Collected smartphone device information can be shown on user with image files.

Besides, collected information can be leaked on certain external site with following code.

Following figures are the collected information and external site.

Collected and being leaked smartphone device information

- GPS info(CELL type)
- SIM status(Communication available statue)
- Network provider info
- Roaming status

External site URL

- http://svr.[~~].com/Notice/

Malicious behavior of audio.service.apk(Additionally downloaded malicious file)

This additional malicious application also works similar as previous malicious application.

Malicious behaviors of audio.service.apk

- Check rooting status
- Collect smartphone device info and leak to external site

But, additionally installed malicious application collects little different information.

Collected smartphone device info

- GPS info(CELL type)
- Smartphone model info
- SDK info
- Version info(2.01)
- Network status info(3G, LTE, WIFI)

URL of external site

- http://svr.(~~~).com/Foreuner/

3. How to prevent

Working malicious application after get route permission can modify device. Therefore, it can cause downloading additional malicious application or send premium SMS. To use smartphone safely from security threats of these malicious applications, we recommend following tips "Smartphone security management tips" for general users.

Smartphone security management tips

1. Use anti-virus SW from believable security company and keep updating the latest engine and using real time detecting function.
2. Download the proven application by multiple users at all times.
3. Use mobile anti-virus SW to check downloaded application before using it.
4. Do not visit suspicious or unknown site via smartphone.
5. Try not to see MMS, text, e-mail from uncertain user.
6. Set strong password on smartphone always.
7. Turn the wireless interfaces like Bluetooth only be used.
8. Do not save important information on phone.
9. Do not try illegal customizing like rooting or jailbreak.

INCA Internet (Security Response Center / Emergency Response Team) provides diagnosis/treatment function with “nProtect Mobile for Android” for mobile such as malicious file stated above and runs responding system against various security threats.

Diagnosis name

- Backdoor/Android.Xsider.A
- Backdoor/Android.Xsider.B


  1. Really nice app.Thanks a lot for your sharing.I would like to share little bit.The Google Play store is additionally home to many antivirus apps that can offer an additional layer of insurance. Discovering the right one, be that as it may, can at times be troublesome. A straightforward "antivirus" seek in the store yields more than 250 results. So which one would it be advisable for you to pick?
    Organizations like Avast, AVG, Bitdefender, Kaspersky, Sophos, Symantec (Norton), and Trendmicro have long and built histories as the absolute most trusted brands in the business.

  2. If you are tech geek and wish to explore even more articles on security issues, get this iphone spy that would show you that your security is nothing these days.

  3. Even antivirus sometime won't detect these malicious apps because of the backdoors the hackers know which they are exploiting to bypass these detections. Users can't even trust apps in official app stores.

  4. Even antivirus sometime won't detect these malicious apps because of the backdoors the hackers know which they are exploiting to bypass these detections. Users can't even trust apps in official app stores. Thanks for share thsi mamazing post with us ,....

  5. Thanks For Sharing this Wonderfull article really appreciating this post keep sharing
    Tutuapp for Android Awesome post

  6. I appreciate it!. I really like it when people get together and share ideas. Great website, continue the good work!. Either way, great web and I look forward to seeing it grow over time. Thank you so much.
    super smash flash 2
    bloons tower defense 5


  7. garageband for pc
    GarageBand For Windows: GarageBand is a digital audio workstation for Apple users to create music or podcasts. And this software was developed by Apple Inc.

  8. If you were assigned with writing a synthesis essay and you don't know where to start, this guide might just help you.

  9. Very Interesting and wonderfull information keep sharing
    apps like tutuapp

  10. This is very great and brilliant information.

  11. Hello everyone, was interesting to read your article. Usually i'm reading New York Times , but now i will read you too!

  12. I think this is an informative post and it is very useful and knowledgeable. therefore, I would like to thank you for the efforts you have made in writing this article. TutuApp Free Apk

  13. Thanks for the information you shared, I will immediately apply to check camouflage smartphone information