Once again Google Android users in China (or elsewhere) who download Android applications from China-based third party app stores have been targeted with trojanized applications. Juniper Networks Global Threat Center (GTC) team has discovered several malicious Android apps that send premium SMS messages after initial findings about this malware, “SPPush”, were reported by the security team at North Carolina State University (NCSU).

This article details the analysis of a malicious application, which piggybacks off of legitimate Android application in order to send SMS messages to premium rate numbers in the background at an irretrievable cost to the user and service provider. The malicious app registers itself with a third party server which then sends updates to the mobile device with the numbers that it should send the premium SMS messages to, as well as commands directing the device to begin sending.  It also has the ability to intercept incoming SMS messages and delete it, if the incoming SMS message matches a pre-defined condition. This is done to allow the malware to remain anonymous.

FYI, Junos Pulse Mobile Security Suite users are already protected against this threat.

Figure 1 offers a schematic difference between the package structure of original and trojanized application. It doesn’t offer much technical information about the malicious activities but helps in identifying files, packages that were added later on, and which might contain malicious code.

Fig. 1: Original Application vs Malicious Application Package

Figure 2 shows some of the requested permissions that provide a strong reason to suspect the trojanized application package, even before taking a deeper dive into its code.

Fig. 2: Permissions Requested by the Trojanized App

In addition to the permissions, the manifest file contains a receiver that registers the app to gain priority access to all the incoming text messages before any other SMS receiver on the device, as shown below:

This “receiver” raises a question about the purpose of gaining priority access to all the incoming SMS messages. Is it because this application wants to modify, hide or filter certain messages, or does it indeed have a legitimate reason for requesting priority access to incoming SMS messages? The following code snippet explains why the app needs priority access to the incoming SMS messages:

According to the above code, the application filters SMS based on the sender’s number and content. If it matches the above condition, then it would delete those SMS messages. By the way, the bizarre looking “JavaScript escapes” translates into:

\u7231\u60C5\u6765\u4E86 -> Love to the

\u8D85\u5E02 -> Supermarket

While performing behavioral analysis of this application, the Juniper GTC team realized that this application receives a command from a remote server to initiate an SMS message to a number included in the command. Figure 3 shows a packet capture of the command, whereas Figure 4 shows the log of SMS messages sent from the infected device.

Fig. 3: Screenshot of Remote Command Received by the Infected Device

Fig. 4: Screenshot of the Sent SMS Log from the Infected Device

The destination number received from the server is a premium number that belongs to China Mobile, with each SMS costing 0.5 Yuan.

These malicious applications are not available on the official Android Market. However, considering the rapid growth in mobile malware our suggestions are:

• To practice due diligence before downloading applications.
• Restrict your download of applications to those only from trusted and reputable sources.
• Before hitting the “Install” button, pay careful and close attention to the permissions requested by the app you’re downloading and if the permissions don’t make sense for the type of app being downloaded, don’t download it!
• Be wary of unusual activity on your mobile device and protect the integrity of your data by installing antivirus and antimalware applications.

And, as previously mentioned, Junos Pulse Mobile Security Suite users are already protected against this threat.