ANDROIDOS_SMSBOXER.A

 Analysis by: Kathleen Notario

 ALIASES:

Android/TrojanSMS.Boxer.BE (Nod32)

 THREAT SUBTYPE:

Premium Service Abuser

 PLATFORM:

Android OS

 OVERALL RISK RATING:
 DAMAGE POTENTIAL:
 DISTRIBUTION POTENTIAL:
 REPORTED INFECTION:

  • Threat Type: Trojan

  • Destructiveness: No

  • Encrypted: No

  • In the wild: Yes

  OVERVIEW

Infection Channel:

Downloaded from the Internet

This malware pretends to be either an Instagram or Angry Birds Space application for Android phones.

To get a one-glance comprehensive view of the behavior of this Trojan, refer to the Threat Diagram shown below.

This malware may arrive as a file downloaded from remote sites offering free download of the following apps:

  • Instagram for Android
  • Angry Birds Space

It prompts the user to allow sending of SMS messages in order to activate the downloaded application.

This Trojan may be unknowingly downloaded by a user while visiting malicious websites. It may be manually installed by a user.

  TECHNICAL DETAILS

File Size:

865,015 bytes

File Type:

APK

Memory Resident:

Yes

Initial Samples Received Date:

16 Apr 2012

Payload:

Charges users with a premium for sending SMS

Arrival Details

This Trojan may be unknowingly downloaded by a user while visiting malicious websites.

It may be downloaded from the following remote sites:

  • http://{BLOCKED}android.ru
  • http://{BLOCKED}space.ru

It may be manually installed by a user.

NOTES:

This malware may arrive as a file downloaded from remote sites offering free download of the following apps:

  • Instagram for Android
  • Angry Birds Space

It prompts the user to allow sending of SMS messages in order to activate the downloaded application. It checks the country code of the affected device. If country code is any of the following, it displays a message in Russian:

  • 250
  • 255
  • 401

The SMS message it sends contains the following text:

75333+5570+88+p+a

It may send the SMS message to any of the following numbers, which in turn charges affected users according to the respective number's rate:

  • 2855
  • 3855
  • 7151
  • 8151

After sending the message, it gives the user the following links to make it appear that the user has already activated the app:

  • http://{BLOCKED}o.ru/apk/com.instagram.android_1.0.3.apk
  • http://top.{BLOCKED}le.ru/files/anmini.apk

  SOLUTION

Minimum Scan Engine:

9.200

TMMS Pattern File:

1.221.00

TMMS Pattern Date:

17 Apr 2012

Step 1

Trend Micro Mobile Security Solution

Trend Micro Mobile Security Personal Edition protects Android smartphones and tablets from malicious and Trojanized applications. The App Scanner is free and detects malicious and Trojanized apps as they are downloaded, while SmartSurfing blocks malicious websites using your device's Android browser.

Download and install the Trend Micro Mobile Security App via Google Play.

Step 2

Remove unwanted apps on your Android mobile device

[ Learn More ]

Did this description help? Tell us how we did.