Once again Google Android users in China (or elsewhere) who download Android applications from China-based third party app stores have been targeted with trojanized applications. Juniper Networks Global Threat Center (GTC) team has discovered several malicious Android apps that send premium SMS messages after initial findings about this malware, “SPPush”, were reported by the security team at North Carolina State University (NCSU).
This article details the analysis of a malicious application, which piggybacks off of legitimate Android application in order to send SMS messages to premium rate numbers in the background at an irretrievable cost to the user and service provider. The malicious app registers itself with a third party server which then sends updates to the mobile device with the numbers that it should send the premium SMS messages to, as well as commands directing the device to begin sending. It also has the ability to intercept incoming SMS messages and delete it, if the incoming SMS message matches a pre-defined condition. This is done to allow the malware to remain anonymous.
FYI, Junos Pulse Mobile Security Suite users are already protected against this threat.
Figure 1 offers a schematic difference between the package structure of original and trojanized application. It doesn’t offer much technical information about the malicious activities but helps in identifying files, packages that were added later on, and which might contain malicious code.
Fig. 1: Original Application vs Malicious Application Package
Figure 2 shows some of the requested permissions that provide a strong reason to suspect the trojanized application package, even before taking a deeper dive into its code.
Fig. 2: Permissions Requested by the Trojanized App
In addition to the permissions, the manifest file contains a receiver that registers the app to gain priority access to all the incoming text messages before any other SMS receiver on the device, as shown below:
This “receiver” raises a question about the purpose of gaining priority access to all the incoming SMS messages. Is it because this application wants to modify, hide or filter certain messages, or does it indeed have a legitimate reason for requesting priority access to incoming SMS messages? The following code snippet explains why the app needs priority access to the incoming SMS messages:
\u7231\u60C5\u6765\u4E86 -> Love to the
\u8D85\u5E02 -> Supermarket
While performing behavioral analysis of this application, the Juniper GTC team realized that this application receives a command from a remote server to initiate an SMS message to a number included in the command. Figure 3 shows a packet capture of the command, whereas Figure 4 shows the log of SMS messages sent from the infected device.
Fig. 3: Screenshot of Remote Command Received by the Infected Device
Fig. 4: Screenshot of the Sent SMS Log from the Infected Device
The destination number received from the server is a premium number that belongs to China Mobile, with each SMS costing 0.5 Yuan.
These malicious applications are not available on the official Android Market. However, considering the rapid growth in mobile malware our suggestions are:
And, as previously mentioned, Junos Pulse Mobile Security Suite users are already protected against this threat.
Discussing a wide range of topics impacting enterprises and data center security.