ANDROIDOS_HIPPOSMS.A

 Analysis by: Sabrina Lei Sioting
 Modified by: Karl Dominguez

 THREAT SUBTYPE:

Premium Service Abuser, Malicious Downloader

 PLATFORM:

Android OS

 OVERALL RISK RATING:
 DAMAGE POTENTIAL:
 DISTRIBUTION POTENTIAL:
 REPORTED INFECTION:

  • Threat Type: Trojan

  • Destructiveness: No

  • Encrypted: No

  • In the wild: Yes

  OVERVIEW


This malware is able to send an SMS to a Chinese premium number. As a result, affected users are charged without their knowledge.

To get a one-glance comprehensive view of the behavior of this Trojan, refer to the Threat Diagram shown below.

This Trojan can be downloaded from third party Android app stores and targets Chinese users. It sends an SMS to a Chinese premium number.

This malicious application lets the user send a predefined message to his/her contacts. The link points to a remote copy of the malware. It also has the capability to send this same message to the premium number.

Itl then connects to a certain URL to receive an XML configuration file. The configuration file contains another URL where an updated copy of itself can be downloaded. This is also detected by Trend Micro as ANDROIDOS_HIPPOSMS.A.

This Trojan may be downloaded by other malware/grayware/spyware from remote sites. It may be unknowingly downloaded by a user while visiting malicious websites.

  TECHNICAL DETAILS

File Size:

413,565 bytes

File Type:

DEX

Memory Resident:

No

Initial Samples Received Date:

13 Jul 2011

Payload:

Sends premium-rate text messages, Connects to URLs/IPs

Arrival Details

This Trojan may be downloaded by other malware/grayware/spyware from remote sites.

It may be unknowingly downloaded by a user while visiting malicious websites.

NOTES:

This Trojan can be downloaded from third party Android app stores and targets Chinese users.

This malware sends an SMS to the number 1066156686, a Chinese premium number. As a result, affected users are charged without their knowledge. It then deletes the SMS if the number it comes from begins with "10". Since China service providers use numbers that starts with "10", affected users arel not be able to verify their account balances.

This malicious application lets the user send the following predefined message to his/her contacts:

看视频,上酷6,链接 http://{BLOCKED}wn.{BLOCKED}6.cn

The link points to a remote copy of the malware. It also has the capability to send this same message to the premium number 10086.

This message translates to the following:

"Watch the video, it's on ku6, link:http://{BLOCKED}wn.{BLOCKED}6.cn".

The malware then connects to the following URL to receive an XML configuration file:

  • http://{BLOCKED}fo.{BLOCKED}6.cn/{BLOCKED}Request.htm?method=update&os=android&brand=ku6&sdkversion=1.5&clientversion=2.0.0&resolution=%7bscreen resolution}&serialnumber={IMEI}

The said configuration file contains another URL where an updated copy of this malware may be downloaded. As of this writing, the URL contained in the XML is the following:

  • http://{BLOCKED}ms.{BLOCKED}6.com/{BLOCKED}ersion/Android_video_201_gen_f001.apk

The downloaded file is also detected as ANDROIDOS_HIPPOSMS.A.

  SOLUTION

Minimum Scan Engine:

8.900

TMMS Pattern File:

1.117.00

TMMS Pattern Date:

17 Jul 2011

NOTES:

Trend Micro Mobile Security Solution

Trend Micro Mobile Security Personal Edition protects Android smartphones and tablets from malicious and Trojanized applications. The App Scanner is free and detects malicious and Trojanized apps as they are downloaded, while SmartSurfing blocks malicious websites using your device's Android browser.

Download and install the Trend Micro Mobile Security App via the Android Market.

Remove unwanted apps on your Android mobile device

To remove unwanted apps on your mobile device:

  1. Go to Settings > Applications > Manage Applications.
  2. Locate the app to be removed.
  3. Scroll and highlight the app to be removed, then choose Uninstall.


Did this description help? Tell us how we did.