We recently analyzed an Android OS malware that specifically targets China Mobile subscribers. China Mobile is a state-owned telecommunications service provider that is considered the world’s largest mobile phone operator.
The malware arrives through a link sent through SMS. The said message tells the China Mobile users to install a patch for their supposedly vulnerable devices by accessing the given link, which actually leads to a malicious file.
The malware, now detected as ANDROIDOS_ADSMS.SMA, obtains certain information about the affected devices such as IMEI number, phone model, and SDK version. Afterward, it connects to a certain URL to request for an XML configuration file. Studying the code of the said file, we found that the tags pertain to different kinds of values related to the malware’s routines.
We were able to deduce the functions of some of the values in the tags. The <regreport> tag contains the number to which the malware sends the IMEI number of the affected phone once obtained.
The numbers in the <pbreceport> are premium numbers (1062, 1065, 1066), including China Mobile’s service number (10086). The malware monitors the device for any message from the said numbers and prevents the affected user from seeing these by deleting the messages. This prevents the user from realizing that the malware is sending messages to premium numbers.
Based on its routines, the malware tries to hide from the user as it does not have an icon that appears on the device’s screen when installed unlike other previously reported Android OS malware. The only visible evidence of infection is the presence of a folder named Tencent in the device’s memory card. This folder contains the malicious files named v1.log and smsConfig.xml.
We also observed debug messages enabled in the malware’s code, which could mean that the attack is still in the testing phase and that an improved version is very likely to surface in the future.
Users whose devices have been infected by this malware may manually remove it by following the instructions in our Threat Encyclopedia virus report for ANDROIDOS_ADSMS.SMA.
A security update is just one of the many disguises cybercriminals use to convince users to execute malicious files on their Android OS-based devices. Most of the Android OS malware we have seen came in the form of games, media players, and even security tools. For more information on this kind of threat, refer to Fake Apps Affect Android OS Users.
July 28, 8:10 PM PST – Updated to new detection name (from ANDROIDOS_TCENT.A to ANDROIDOS_ADSMS.SMA)