Security & Mobility Now
Security is top-of-mind everywhere, especially right here where Juniper experts share their thoughts on the latest security breakthroughs and product advancements
maggarwal

More Trojanized Android Apps Found in Chinese Markets

by Juniper Employee on ‎08-22-2011 11:23 AM

Once again Google Android users in China (or elsewhere) who download Android applications from China-based third party app stores have been targeted with trojanized applications. Juniper Networks Global Threat Center (GTC) team has discovered several malicious Android apps that send premium SMS messages after initial findings about this malware, “SPPush”, were reported by the security team at North Carolina State University (NCSU).

 

This article details the analysis of a malicious application, which piggybacks off of legitimate Android application in order to send SMS messages to premium rate numbers in the background at an irretrievable cost to the user and service provider. The malicious app registers itself with a third party server which then sends updates to the mobile device with the numbers that it should send the premium SMS messages to, as well as commands directing the device to begin sending.  It also has the ability to intercept incoming SMS messages and delete it, if the incoming SMS message matches a pre-defined condition. This is done to allow the malware to remain anonymous.

 

FYI, Junos Pulse Mobile Security Suite users are already protected against this threat.

 

Figure 1 offers a schematic difference between the package structure of original and trojanized application. It doesn’t offer much technical information about the malicious activities but helps in identifying files, packages that were added later on, and which might contain malicious code.

 

figure 1.jpg

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Fig. 1: Original Application vs Malicious Application Package

 

Figure 2 shows some of the requested permissions that provide a strong reason to suspect the trojanized application package, even before taking a deeper dive into its code.

 

figure2.jpg

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Fig. 2: Permissions Requested by the Trojanized App

 

In addition to the permissions, the manifest file contains a receiver that registers the app to gain priority access to all the incoming text messages before any other SMS receiver on the device, as shown below:

 

smsreceiver.jpg

 

 

 

 

 

 

 

 

 

This “receiver” raises a question about the purpose of gaining priority access to all the incoming SMS messages. Is it because this application wants to modify, hide or filter certain messages, or does it indeed have a legitimate reason for requesting priority access to incoming SMS messages? The following code snippet explains why the app needs priority access to the incoming SMS messages:

 

smsmessages.jpg

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

According to the above code, the application filters SMS based on the sender’s number and content. If it matches the above condition, then it would delete those SMS messages. By the way, the bizarre looking “JavaScript escapes” translates into:

 

\u7231\u60C5\u6765\u4E86 -> Love to the


\u8D85\u5E02 -> Supermarket


While performing behavioral analysis of this application, the Juniper GTC team realized that this application receives a command from a remote server to initiate an SMS message to a number included in the command. Figure 3 shows a packet capture of the command, whereas Figure 4 shows the log of SMS messages sent from the infected device.

 

figure3ss.jpg

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Fig. 3: Screenshot of Remote Command Received by the Infected Device

 

figure4ss.jpg

 

 

 

 

 

 

 

 

 

 

 

 

 

Fig. 4: Screenshot of the Sent SMS Log from the Infected Device

 

The destination number received from the server is a premium number that belongs to China Mobile, with each SMS costing 0.5 Yuan.

 

These malicious applications are not available on the official Android Market. However, considering the rapid growth in mobile malware our suggestions are:

 

  • To practice due diligence before downloading applications.
  • Restrict your download of applications to those only from trusted and reputable sources.
  • Before hitting the “Install” button, pay careful and close attention to the permissions requested by the app you’re downloading and if the permissions don’t make sense for the type of app being downloaded, don’t download it!
  • Be wary of unusual activity on your mobile device and protect the integrity of your data by installing antivirus and antimalware applications.

And, as previously mentioned, Junos Pulse Mobile Security Suite users are already protected against this threat.

 

 

 

Post a Comment
Be sure to enter a unique name. You can't reuse a name that's already in use.
Be sure to enter a unique email address. You can't reuse an email address that's already in use.
Type the characters you see in the picture above.Type the words you hear.
About Security & Mobility Now

Discussing a wide range of topics impacting enterprises and
data center security.

Subscribe RSS Icon

Our Bloggers

Kyle Adams
Senior Software Engineer

Profile | Subscribe

Ritesh Agrawal
Director
Software Engineering

Profile | Subscribe

Erin K. Banks
Senior Technical Marketing Manager

Profile | Subscribe

Ajay Bharadwaj
Product Manager

Profile | Subscribe

Michael Callahan
Vice President
Product Marketing

Profile | Subscribe

Scott Emo
Director
Product Marketing

Profile | Subscribe

Mora Gozani
Senior Manager
Product Marketing

Profile | Subscribe

Ashur Kanoon
Sr. Manager
Technical Marketing

Profile | Subscribe

Seema Kathuria
Manager
Product Marketing

Profile | Subscribe

Kevin Kennedy
Senior Director
Product Management

Profile | Subscribe

Dave Killion
Software Engineer

Profile | Subscribe

Rebecca Lawson
Senior Director
Product Marketing

Profile | Subscribe

Rajoo Nagar
Senior Manager
Product Marketing

Profile | Subscribe

Erin O'Malley
Manager
Product Marketing

Profile | Subscribe

Galina Pildush
Strategy & Planning
Architect

Profile | Subscribe

Edward Roberts
Director
Product Marketing

Profile | Subscribe

Bill Shelton
Director Field Sales

Profile | Subscribe

Ashutosh Thakur
Product Line Manager

Profile | Subscribe

Troy Vennon
Software Engineer

Profile | Subscribe

Brad Woodberg
Product Manager

Profile | Subscribe

Labels
Copyright© 1999-2013 Juniper Networks, Inc. All rights reserved.