Malicious applications called SMS Zombie have been found in these days. With booming of malicious applications for smartphone, the rumor has that more than 500 thousands smartphone were infected by malicious application. Of course, this malicious app runs for Chinese android smartphone user, they haven't harm to Korean users so far. But the noticeable thing is that the spreading of malicious application for monetary exploitation has been started in overseas countries.
2. Spreading path and symptom of infection
This malicious application has been being spread on Chinese unofficial markets as following.
This malicious application performs sending SMS without permission, collecting information, and trying to install additional malicious application.
Installation screen is as following.
Following image is some part of permission on AndroidManifest.xml.
Dropper-typed Host malicious application
Because this application registered nothing but wall paper service, to activate this program, user have to click following wall paper.
Upon executing wall paper, AlertDialog for installing additional application will be shown.
Left button is for confirm and right button is for cancel. If a user clicks confirm button, this application will try to install additional files from malicious file.
As you see, this file looked like image file, however; this file is APK file. Clicking "Confirm" button can install additional malicious application.
Analysis of additional malicious file working real malicious behaviors
Following figure is run screen of additional malicious file.
This also runs as a service, so "Open" button is deactivated. Following figure is some part of AndroidManifest.xml. We can see requiring permission code.
After installed, we can see that this malicious application has loaded as a service.
Besides, it shows administration activating screen for getting permission as following.
As it shows, there are 2 buttons both "Activate" and "Cancel", however; "Activate" button is only working. To click "Cancel" will show Activate device administrator window.
Finally, this malicious application will get permission for inducing to click "Activate" button. And then it will get various permissions including application removal.
※ Getting permission of device administrator
Usually malicious applications try to get administrator permission for obtaining its removal rights. After getting that permission, general uninstall procedure won't work.
※ How to remove
In case of this kind of application, both malicious and normal types are presence. To remove, following procedure will be needed.
"Settings" - "Location and security" - "Device administrators"
Click and choose "deactivate". Of course, clicking "deactivate" seemed nothing to be done. And then hold the home button - "task manager" - "exit all running program" - remove "this application" on program tap.
After installation, it will create "phone.xml" on certain path.
"phone.xml" will contain certain keyword by following code and encoded by Simplified Chinese.
Following figure shows real contents on phone.xml which can snatch bank account information and mobile transaction history. (by monitoring SMS.)
And then, this malicious application will send collected information to certain number(13093632006) as SMS secretly.
In case of unable to use wifi, it will send SMS including certain message on following.
Except this case, this malicious application check rooting status of infected smartphone and sends SMS.
This application monitors SMS. AndroidManifest.xml doesn't contain code for getting permission but its internal code contains dynamic SMS monitoring receiver.
It seems that various security solutions may detect SMS monitoring receiver on AndroidManifest.xml.
Registered SMS related receiver monitors all SMS which were parsed and compared with keywords in "phone.xml". If string meets condition, it will send SMS to certain number.
Some of sent SMS will be removed with following code.
3. How to prevent
In case of this malicious application which contains 1st Dropper, if this Dropper is modified, various security threats can be existed. To use smartphone safely from security threats of these malicious applications, we recommend following tips "Smartphone security management tips" for general users.
INCA Internet (Security Response Center / Emergency Response Team) provides diagnosis/treatment function with “nProtect Mobile for Android” for mobile such as malicious file stated above and runs responding system against various security threats.