Analysis by: Karl Dominguez
 THREAT SUBTYPE:

Premium Service Abuser

 PLATFORM:

Android OS

 OVERALL RISK RATING:
 DAMAGE POTENTIAL:
 DISTRIBUTION POTENTIAL:
 REPORTED INFECTION:

  • Threat Type: Trojan

  • Destructiveness: No

  • Encrypted: No

  • In the wild: Yes

  OVERVIEW

This Android malware acts as an SMS relay. It uses the infected device as proxy for sending and receiving SMS messages. As a result, affected users may be charged for sending SMS without their knowledge.

To get a one-glance comprehensive view of the behavior of this Trojan, refer to the Threat Diagram shown below.

This malware has certain capabilities such as sending and receiving SMS, deleting SMS, getting installed applications, deleting and updating itself.

This Trojan may be unknowingly downloaded by a user while visiting malicious websites.

  TECHNICAL DETAILS

File Size: 36,368 bytes
File Type: DEX
Memory Resident: Yes
Initial Samples Received Date: 21 Jun 2011
Payload: Compromises system security, Connects to URLs/IPs, Steals information

Arrival Details

This Trojan may be unknowingly downloaded by a user while visiting malicious websites.

NOTES:
This Android malware acts as an SMS relay which receives SMS to be forwarded from a remote URL. As a result, affected users may be charged for sending SMS without their knowledge. This malware has the following capabilities:

  • Send and receive SMS
  • Delete SMS
  • Get installed applications
  • Delete itself
  • Update Itself
It receives an XML configuration file from the following URL:
  • http://{BLOCKED}ind.net/flash/test.xml?imei={IMEI}&time={current time}
The configuration file contains the message body of the SMS and the number it sends to. It also contains where the malware forwards SMS messages, posts installed applications, updates itself, and where to notify the remote user for its status.

This malware also monitors the the affected phone's received SMS. If an SMS is from the number it sent to, the message is relayed to the following URL:

  • http://{BLOCKED}ind.net/flash/in.php?imei={IMEI}&time={current time}

Once the message is posted, the malware deletes the SMS from the affected phone to hide itself from the user.

The list of applications installed in the affected phone is posted by the malware to the following link:

  • http://{BLOCKED}ind.net/flash/list.php?imei={IMEI}&time={current time}

Please note that the analysis above is based from the XML configuration downloaded by the malware at the time of this writing and may change anytime.

  SOLUTION

Minimum Scan Engine: 8.900
TMMS Pattern File: 1.109.00
TMMS Pattern Date: 22 Jun 2011

NOTES:

Trend Micro Mobile Security Solution

Trend Micro Mobile Security Personal Edition protects Android smartphones and tablets from malicious and Trojanized applications. The App Scanner is free and detects malicious and Trojanized apps as they are downloaded, while SmartSurfing blocks malicious websites using your device's Android browser.

Download and install the Trend Micro Mobile Security App via the Android Market.

Remove unwanted apps on your Android mobile device

To remove unwanted apps on your mobile device:

  1. Go to Settings > Applications > Manage Applications.
  2. Locate the app to be removed.
  3. Scroll and highlight the app to be removed, then choose Uninstall.


Did this description help? Tell us how we did.