Since late August, we’ve been monitoring the development of a new siege of Android malware in China. So far, we have seen multiple new variants of AndroidOS.SmsThief, disguising themselves as photo or document viewer apps, as well as repackaging itself as other popular applications. Different AV vendors have identified these variants under the names Android.Trojan.SmsSpy and Trojan.Android/AutoSMS.  

Although a bulletin was released by Chinese officials around the same time, this campaign appears to be still going strong more than a month later. Samples captured along the course are constantly evolving and the message can manifest itself as a number of different applications. Combined with the evidence that this is exhibiting qualities of a long-term monitoring malware, this is a highly sophisticated sample.

We’ve detected 8 variants of the malware active throughout China, but only 3 of these samples have been uploaded onto VirusTotal.

One of the samples of malware that has been detected by numerous anti-virus programs.

The malware is delivered through SMS. As is common with worms, the SMS is typically sent “from” a friend – someone whose device has already been infected. The content of these phishing messages can vary as hackers try to trick victims from many different angles:

1. Messages pretending to be a friend looking to share a photo:

2. These are from a colleague wanting to share a work-related document:

3. These are threats to disclose a private photo:

4. This is a message from a teacher regarding the child’s accomplishments in school. It directs them to a document supposedly outlining the accomplishments:

When the recipient clicks on the link it’s redirected to an application available for download. Because China doesn’t have an official app purchasing store, like Google Play, apps can be downloaded from any source. The user deems the application safe or unsafe based on the trust of how they received the link. This makes it that much easier for attackers to send messages from a familiar number and convince recipients to download the application.

One sample that uses the lure of a photo to drag in victims repackages itself as a photo viewer application for Android (this usage of the lure of photos is a well-known technique for SMS worms that we have encountered before). It tricks the user to download the app through a link in the message.

During installation, it asks for permission to access information about your contacts, read and send SMS messages and also requests administrative access once it starts up.

Because of the source of the message, users assume that this is a normality and proceed with granting permission to the app.

Note: a legitimate application with such function will rarely ask for this amount of information from a user. Especially Administrative Access as this is only required by apps with very specific functionality.

Once the malware starts up on your device, it removes itself from App Drawer, and fades into the background. Without notice, the malware opens up and remotely accesses and extracts the information in your contact list, as well as accessing every text message.

The scale of this infection is unknown, but we can confirm that the campaign is very active. Almost every day we’re detecting a new download link and new variations of the malware. The malware uses email as one of its primary methods to upload information. The information from the infected device is submitted to a mailbox to which the attacker has access. The information of the mailbox is hardcoded within the malware.

We know the samples began using accounts from 163.com – one of the most popular Chinese email services – but have seen a move to qq.com during our monitoring of the outbreak.

Several Command numbers have been used in the different known samples as the malware forwards incoming SMS over to the C&C number, as well as receiving remote commands from them.

Because of the way this malware is designed, it looks as though the attacks are primarily targeted towards Chinese subscribers.  

Once the application is downloaded, the malware tries to register with the C&C using the device ID.

While it’s running, it actively monitors the SMS the device received in background:

And from then on every SMS and call is intercepted and forwarded on to the C&C number – allowing hackers to read every text message.

Each time the infected device receives an SMS, the malware confirms whether this is a normal SMS message, or a command from the C&C number. If the received message is confirmed to be from the C&C number, the commands are then actioned if contained in SMS content.

(The first line of Chinese below means: “------- (it) is Master -------“)

The commands have varying degrees of effect, but they have been detected issuing actions such as:

1. Send message to contacts.
2. Adding number into monitoring list
3. Switch mode between monitoring all traffic to specific numbers

The societal implications of this malware is significant. By using a very specific information-gathering technique, the attackers are developing a database of phone numbers, device IDs, as well as demographic information.

With this, and using the infected device, they able to send an undetectable message to any of your contacts, and read every message that is delivered, which often contains sensitive info, such as banking details. There have already been media reports indicating that this type of malware has caused significant financial loss. One article details how a Chinese resident clicked on a link from his phone and downloaded the malware. Hackers then received his online banking authentication code via SMS and transferred money from his four different accounts to a total damage of 20,000 RMB.

It is rare to see the malware to have such a sophisticated control and monitoring function, and the future evolution of samples is being monitored very closely.

As always, AdaptiveMobile advises caution when installing apps – don’t click on an unknown link and don’t download apps from an unknown source.

If your device is infected with malware, you can remove it by following these instructions:

Go to Settings - Security - Device Administrator and untick the app from the box.

Then go to Settings - Apps and find the app. Once there you should have the choice to stop the application from running and uninstall it.

Special thanks to Yicheng Zhou for original research and contribution to this blog. 

MD5

5fa3c46cb5b3a93ca1fca9580a47f88c        1XP.apk
497ddb415ff19a6cfa6bded10816def6     4-1.apk
2331b60ecb45593b88604524ba8ec90b    相片.apk
7a966c24b83c27a4022948cfe19934c0       1.apk
abc6fbba2f7e584b083606f43b15c8c0      相片.apk
47accaa5b62974d7cb2f60a404cbe770      相片31 (1).apk
af36f4ad38e358d7182a122556f52711      相片 (1).apk
47aa50fad3a5641889ec9e6c5e726682     fabu.apk