Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:

  • Mobile Vulnerabilities

  • Zero-Day Alerts

  • Recent Posts

  • Calendar

    September 2015
    S M T W T F S
    « Aug    
  • Email Subscription

  • About Us

    Author Archive - Bob Pan (Mobile Security Engineer)

    Last week, we talked about the OBAD Android malware, which installed itself as an administrator on the device and used a vulnerability in Android to hide this fact from the user.

    One effect of this particular behavior was to make removal of this threat very difficult. Apps that have set themselves up as administrators require user interaction to remove: but because the vulnerability hides the app, it can’t be removed.

    In response to this threat, we have created the Hidden Device Admin Detector app. This tool’s purpose is simple: it allows users to keep track of and disable apps that have device administrator privileges but are hidden from Android Device Administrator list.

    Most apps do not need to these device administrator privileges. One can think of them as being analogous to holding root access on a Linux/Unix machine, or having administrator access on Windows. It gives you complete control over the machine. Most apps do not need this level of access; this is why the user has to be prompted to enable these privileges. Apps that do require these privileges include security apps (like Trend Micro Mobile Security) and system administration apps that may be used in BYOD situations.

    When run, the app will display the apps with administrator privileges that exploit this vulnerability to hide themselves:

    Figure 1. Hidden Device Admin Detector app

    From here, users can disable the privileges. Malicious apps with disabled administrator privileges can be removed normally, either by security products or the user.

    Android does contain this feature as well, but because of the above vulnerability the list it provides may not be complete. Google may patch the vulnerability in the future, but the complicated Android update situation means many users will never get the patch. We recommend that all users download this app and periodically check for malicious apps on their Android devices.

    You can download the app by going to the Google Play app store.

    Posted in Malware, Mobile | Comments Off on Detecting Hidden Administrator Apps on Your Mobile Device

    Just days after its release on the Apple App Store, some sites are already offering their own dubious versions of Temple Run 2 for Android.

    With 20 million downloads just 4 days after its release on the Apple App Store, Temple Run 2 is indeed highly-anticipated among Temple Run fans and gaming fanatics. While the Android version of the game is scheduled for release this Thursday, we already found certain websites peddling what appears to be Temple Run 2 for Android.

    We downloaded a supposed Temple Run 2 app and analyzed it. Luckily, the apps (detected by Trend Micro as ANDROIDOS_FAKETEMPLRUN.A) do not exhibit any noteworthy malicious routines. However, they do send ad notifications to users. And to rub salt to wound, both apps do not run the actual Temple Run game.


    We also noticed other sites that offer Temple Run 2. Looking closely at the description of one of these sites, the developer posted a disclaimer about the app. Though the site does not exhibit any harmful routine, the use of Temple Run 2 to persuade users to download the “wallpaper” app (some sites offer a puzzle app, among others) is quite suspect.

    Read the rest of this entry »


    Recently, we found that Android’s debugging feature could be used to steal information from apps running on an Android device. We won’t go into the full details of the problem here, but here is the short version: with some effort, an app can be set up on Android to debug another running app. This debugging app would have access to all the information the debugged app has, so items like user names and passwords are trivial to steal.

    Before we go any further, however, we need to be clear what versions of Android are affected. This vulnerability is only in version 2.3 (Gingerbread) or earlier. Practically all Android devices sold today run newer versions, as Gingerbread was last updated in September 2011. However, Google’s own numbers indicate that more than half of all Android devices in use still run these potentially older versions of Android.

    In a way, this problem serves as a microcosm of the issues surrounding the entire Android ecosystem. Let’s divide the ecosystem into three parties: app developers, Google and telecom companies, and end users. What can each segment do?

    App developers

    In this particular instance, for an app to be vulnerable to being debugged it has to have been set to be debuggable in the first place. In general, debuggable versions of apps should not be released to the public. (Approximately 5% of apps in the Top Free apps list are set to be debuggable, so the risk is not insignificant.)

    In general, however, “best practices” for mobile apps may not be as set in stone as they are for desktop applications. It would be a good idea for mobile developers to consider the security of their apps, not just their features and ease-of-use.

    Read the rest of this entry »

    Posted in Mobile | Comments Off on The Issues Surrounding Android Debugging

    We recently encountered ANDROIDOS_SMSZOMBIE.A, an Android Trojan targeting China Mobile subscribers that takes control of a device’s SMS functionality. It can send, forward, and drop SMS messages. What makes this more troubling for users is the fact that this malware is difficult to uninstall. A dedicated removal tool will be released to Google Play and Chinese app stores next week.

    As other researchers have noted, this Trojan takes advantage of a vulnerability in the China Mobile SMS payment process to generate unauthorized payments, steal bank card numbers and money transfer receipt information.

    How does this threat arrive on user devices? It is usually wrapped by a wallpaper app. Once installed, it can be enables by clicking Menu > Wallpaper > Live Wallpapers.

    After the live wallpaper has been enabled, the user is asked to install the Trojan (which is described instead as a “game”, complete with 100 free points).

    Once installed, the malware will ask to activate itself as a device administrator. The malware claims that by doing this, it will save power. If the user clicks the cancel or return buttons, the alert appears again. Only after the Trojan has been activated as a device administrator, will it let the user return to their main screen.

    As previously mentioned, this particular Trojan is quite difficult to uninstall. Using Android’s own uninstall function simply redirects the user to their home screen, without an opportunity to select the app to be uninstalled. Even if a third-party app is used in an attempt to uninstall the Trojan, it can’t be removed because it’s still active as a device administrator. If the user pushes through with the attempt to deactivate it as an administrator, the Trojan will say that deactivating it will cause system errors. If the user deactivates it, the Trojan will keep prompting the user to reactivate it again.

    App Payload

    What does this app do once it is installed on the user’s device? When first run, it sends the app version and device information (model, OS, language, network) to a “control number” via SMS.

    Once running, it has the following capabilities:

    • Forward every received SMS message
    • Drop SMS which contains words in a configurable list
    • Send SMS messages
    • “Write” an SMS message into the inbox

    All of these capabilities are controlled via SMS messages sent by the attacker to the device. These instructions are all in the following XML format:

    TAG Description
    S change the currently configuration
    J write the currently to phone.xml
    M send SMS with value specified by tags con and rep
    con set SMS content
    rep set SMS number
    E write a SMS to inbox with value specified by xgh and xgnr
    xgh set sms number
    xgnr set sms content

    For example, if the attacker wants to send a SMS from the infected device to China Mobile, he can send the following content to the device:


    Configuration files are in XML format as well:

    This particular file shows the default control number, default content keywords (转, 卡号, 姓名, 行, 元汇, 款, hello), and default number keyword of “10″.

    TAG Description
    D control number
    n keyword in SMS content, if it contains the keyword, this Trojan will drop the message
    zdh keyword in number, if an SMS is from this number, the message will be dropped and not received by the user.

    How does this app prevent itself from being uninstalled? It does the following actions to do this:

    • The wrapper app will check the Trojan’s state. If the Trojan is uninstalled the wrapper app will ask the user to install the Trojan. Alternately, if the Trojan is stopped, the wrapper will restart the service.
    • If any of the Trojan’s service are stopped, it will start the service again.
    • If any of the following are opened, the user will be returned to their home screen:
      • Device administrator settings
      • Trojan’s application detail
      • The app 360safe
    • If the Trojan is not active as a device administrator, it will keep asking to be activated as such.
    • When the Trojan is deactivated from being a device administrator, the user is led to believe that deactivating it will cause errors.

    Here are the steps you need to perform to manually uninstall this malware:

    1. First of all, uninstall the wrapper wallpaper app.
    2. Use a third-party app to terminate
    3. Deactivate the Trojan from being a device administrator. Ignore any warnings by pressing the home button.
    4. Terminate again.
    5. Uninstall the Trojan normally.

    To automate the above process, Trend Micro will release a dedicated detection and removal app. We will update this post with a link to the said tool once it has been released.

    Coming Soon: The TrendLabs Security Intelligence Blog will be the new Malware Blog

    Posted in Mobile | Comments Off on Android Malware Exploits China Mobile SMS Payments

    We’ve reported previously that malicious apps were discovered in the official Android app store, which is now known as Google Play. While those reported apps were removed, more malicious apps have been seen in the official marketplace and appear to be still victimizing users. This is just one of the important reasons why we feel that a technology like our Trend Micro Mobile App Reputation is crucial in users’ overall mobile experience and security.

    In total, we have discovered 17 malicious mobile apps still freely downloadable from Google Play: 10 apps using AirPush to potentially deliver annoying and obtrusive ads to users and 6 apps that contain Plankton malware code.

    Application Name Package Name App Developer Brief Behavior Description
    Spy Phone PRO+ com.spinXbackup.backupApp Krishan Sends out GPS location, SMS and call log
    微笑的小工具 Antonio Tonev Connects to C&C server and waits for the command
    應用程序貨架 com.antonio.wardrobe.apps.lite Antonio Tonev Connects to C&C server and waits for the command
    小兔子射氣球 com.christmasgame.balloon Ogre Games Connects to C&C server and waits for the command
    阿維亞拼圖 com.macte.JigsawPuzzle.Aviation Macte! Labs Connects to C&C server and waits for the command
    山拼圖 com.macte.JigsawPuzzle.Hills Macte! Labs Connects to C&C server and waits for the command
    食品謎 com.macte.JigsawPuzzle.Food Macte! Labs Connects to C&C server and waits for the command
    NBA SQUADRE PUZZLE GAME com.bestpuzzlesgames.NBA1 Crisver Pushes applications and advertisements to user
    NFL Puzzle Game Crisver Pushes applications and advertisements to user
    本機拼圖 com.macte.JigsawPuzzle.Indians Macte! Labs Pushes applications and advertisements to user
    拼圖:紐約 com.macte.JigsawPuzzle.NewYorkCity Macte! Labs Pushes applications and advertisements to user
    Cricket World Cup and Teams Crisver Pushes applications and advertisements to user
    怪物3D com.killu.m3d Killugames Pushes applications and advertisements to user
    最佳設計的鞋子 com.killu.bds Killugames Pushes applications and advertisements to user
    爆轉陀螺益智 Manic Puzzles Push applications and advertisements to user
    芭比好萊塢之謎 com.espu.bho Puzzles Push applications and advertisements to user
    芭比娃娃夢幻之謎 com.espu.bafa Puzzles Push applications and advertisements to user

    Among them, one app which explicitly describes itself as a spying app has also been flagged as a threat by Trend Micro due to its potential for misuse. This particular threat is known as ANDROIDOS_PDASPY.A. Its Google Play page makes it clear what its purpose is:

    The attacker must initially install and set up this particular app onto the target phone, as can be seen in the following screenshots:

    Its capabilities include tracking a phone’s location, phone calls, and messages. Once the attacker presses the “Save & Start” button, the attacker can then track the device via the website given:

    Most of these apps have been downloaded several thousand times. The above PDASpy app appears to have been downloaded more than 100,000 times. Collectively, the detected apps have been downloaded more than 700,000 times. Users not running any mobile security app may be victimized by annoying ads (AirPush) or the apps’ (Plankton) malicious connections to remote C&Cs.

    We discovered these apps as part of our Mobile App Reputation efforts. We continuously monitor both official and third-party app stores for both newly uploaded and popular apps and check for the behavior of these apps. We look not just for malicious behavior, but also bandwidth-consuming and battery-consuming routines.

    Trend Micro Mobile Security Personal Edition is capable of detecting the threats we mentioned above.


    Update as of 1:59 AM PST

    Google already removed some apps cited on this blog post. We will continue to monitor this case and update this entry for any progress.



    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice