[Information] Android malicious application for Japanese women

1. Introduction

There was a report about Android malicious application which aims for Japanese women. Usually malicious applications aims for men, however; it is the first case of being found for women. Besides, if this malicious application installed in Korean environment, personal information can be leaked. Therefore, users need to be careful on using and downloading applications.

2. Spreading path and Symptom of infection

This malicious application has 2 spreading methods.

Source : http://www.symantec.com/connect/blogs/loozfon-malware-targets-female-android-users

One is sending spam e-mail and tries to induce user for clicking link on mail. The other is inducing to click link for meeting man. Both ways are for downloading and installing malicious application.

Analysis info

Malicious behaviors procedures

- Tries to collect and leak IMEI info
- Collects contact info(Name, Tel number, E-mail address)
- Accesses to certain web site [http://58.(~~).(~~).229//(~~)/addressBookRegist] (External URL)

This malicious application requires permissions as following.

Following image shows all permissions in "AndroidManifest.xml".

Installing status of this malicious application can be found on "Settings" > "Applications" > "Manage applications".

This malicious application doesn't register certain receiver or service, but it counts from 1 to 0 as following.

This counting is implemented as a repetition. It collects personal and device information and tries to leak on certain web site.

Following code shows collecting info and leaking collected info on certain web site.

Detailed info of code for leaking info

Red box shows collecting IMEI with referring other class.

Green box shows collecting smartphone number.

Blue box distinguish between Android 1.6 version or lower and Android 1.6 version or higher. There was big change on API of collecting contacts. This malicious application can collect both.

Following code shows in case of Android version is 1.6 or higher.

With this code, we can find it collects name, phone number, and mail address.

We assume this malicious application for sending spam mail and collecting various info including(Contacts, IMEI, and personal info).

3. How to prevent

There are a lot of reports about various malicious applications for financial purpose. This malicious application can easily collect and leak information. To use smartphone safely from security threats of these malicious applications, we recommend following tips "Smartphone security management tips" for general users.

Smartphone security management tips

1. Use anti-virus SW from believable security company and keep updating the latest engine and using real time detecting function.
2. Download the proven application by multiple users at all times.
3. Use mobile anti-virus SW to check downloaded application before using it.
4. Do not visit suspicious or unknown site via smartphone.
5. Try not to see MMS, text, e-mail from uncertain user.
6. Set strong password on smartphone always.
7. Turn the wireless interfaces like Bluetooth only be used.
8. Do not save important information on phone.
9. Do not try illegal customizing like rooting or jailbreak.

INCA Internet (Security Response Center / Emergency Response Team) provides diagnosis/treatment function with “nProtect Mobile for Android” for mobile such as malicious file stated above and runs responding system against various security threats.

Diagnosis name

- Trojan-Spy/Android.Loozfon.A
- Trojan-Spy/Android.Loozfon.B