[Information] Chinese malicious application called SMS Zombie

1. Introduction

Malicious applications called SMS Zombie have been found in these days. With booming of malicious applications for smartphone, the rumor has that more than 500 thousands smartphone were infected by malicious application. Of course, this malicious app runs for Chinese android smartphone user, they haven't harm to Korean users so far. But the noticeable thing is that the spreading of malicious application for monetary exploitation has been started in overseas countries.

2. Spreading path and symptom of infection

This malicious application has been being spread on Chinese unofficial markets as following.

This malicious application performs sending SMS without permission, collecting information, and trying to install additional malicious application.

Installation screen is as following.

It doesn't show permissions for installation and "Open" button is deactivated. It means that malicious application is coded as wall paper type and additional permission for various functions is not manifest but dynamic registration process. Besides, the reason of deactivate of "Open" button is that it runs as a service.

Following image is some part of permission on AndroidManifest.xml.

Dropper-typed Host malicious application

Because this application registered nothing but wall paper service, to activate this program, user have to click following wall paper.

Upon executing wall paper, AlertDialog for installing additional application will be shown.

Left button is for confirm and right button is for cancel. If a user clicks confirm button, this application will try to install additional files from malicious file.

As you see, this file looked like image file, however; this file is APK file. Clicking "Confirm" button can install additional malicious application.

Analysis of additional malicious file working real malicious behaviors

Following figure is run screen of additional malicious file.

This also runs as a service, so "Open" button is deactivated. Following figure is some part of AndroidManifest.xml. We can see requiring permission code.

After installed, we can see that this malicious application has loaded as a service.

Besides, it shows administration activating screen for getting permission as following.

As it shows, there are 2 buttons both "Activate" and "Cancel", however; "Activate" button is only working. To click "Cancel" will show Activate device administrator window.

Finally, this malicious application will get permission for inducing to click "Activate" button. And then it will get various permissions including application removal.

※ Getting permission of device administrator

Usually malicious applications try to get administrator permission for obtaining its removal rights. After getting that permission, general uninstall procedure won't work.

※ How to remove

In case of this kind of application, both malicious and normal types are presence. To remove, following procedure will be needed.

"Settings" - "Location and security" - "Device administrators"

Click and choose "deactivate". Of course, clicking "deactivate" seemed nothing to be done. And then hold the home button - "task manager" - "exit all running program" - remove "this application" on program tap.

After installation, it will create "phone.xml" on certain path.

"phone.xml" will contain certain keyword by following code and encoded by Simplified Chinese.

Following figure shows real contents on phone.xml which can snatch bank account information and mobile transaction history. (by monitoring SMS.)

And then, this malicious application will send collected information to certain number(13093632006) as SMS secretly.

※ Details of SMS sending message

- 1.5V:Model(Model info:sdk);os(OS version info);Language(Using language);NET(Network usage info:3G/wifi)

In case of unable to use wifi, it will send SMS including certain message on following.

Except this case, this malicious application check rooting status of infected smartphone and sends SMS.

This application monitors SMS. AndroidManifest.xml doesn't contain code for getting permission but its internal code contains dynamic SMS monitoring receiver.

It seems that various security solutions may detect SMS monitoring receiver on AndroidManifest.xml.

Registered SMS related receiver monitors all SMS which were parsed and compared with keywords in "phone.xml". If string meets condition, it will send SMS to certain number.

Some of sent SMS will be removed with following code.

3. How to prevent

In case of this malicious application which contains 1st Dropper, if this Dropper is modified, various security threats can be existed. To use smartphone safely from security threats of these malicious applications, we recommend following tips "Smartphone security management tips" for general users.

Smartphone security management tips

1. Use anti-virus SW from believable security company and keep updating the latest engine and using real time detecting function.
2. Download the proven application by multiple users at all times.
3. Use mobile anti-virus SW to check downloaded application before using it.
4. Do not visit suspicious or unknown site via smartphone.
5. Try not to see MMS, text, e-mail from uncertain user.
6. Set strong password on smartphone always.
7. Turn the wireless interfaces like Bluetooth only be used.
8. Do not save important information on phone.
9. Do not try illegal customizing like rooting or jailbreak.

INCA Internet (Security Response Center / Emergency Response Team) provides diagnosis/treatment function with “nProtect Mobile for Android” for mobile such as malicious file stated above and runs responding system against various security threats.

Diagnosis name

- Trojan/Android.SMSZombie.A
- Trojan/Android.SMSZombie.B
- Trojan/Android.SMSZombie.C