I have seen Android malware delete and send SMS messages but this is the first time I saw an Android malware act as an SMS relay.

My colleagues and I were recently able to analyze a sample of an Android malware that uses an infected device as a proxy for sending and receiving messages. Unlike most Android-specific threats we have recently seen, this one does not piggyback on legitimate Android apps. Once installed, it displays a blank window for a split second then immediately closes it.

This malware installs a service called FlashService. It employs two receivers called FlashReceiver and SMSReceiver, which are respectively triggered after a device boots up and when it receives an SMS message. FlashReceiver, which runs after a device boots up, starts the FlashService.

Receivers are functions that are executed when a specific Intent is received. Think of an Intent simply as an event. When a device received an SMS message, its OS will broadcast this event, which triggers the execution of all of the functions that are supposed to run every time the said event occurs.

FlashService is responsible for allowing the device to communicate with its server. As mentioned, it runs once the device boots up and connects to a certain URL in order to download an .XML configuration file. The code of the .XML configuration file the malware receives at the time of writing is shown below.

Read the rest of this entry »

We recently received a sample of an Android malware known as DroidDreamLight currently circulating on the Web. Once executed on an infected device, this malware steals mobile-specific information that it then uses for malicious activities.

Similar to previous information-stealing Android malware, DroidDreamLight, detected by Trend Micro as ANDROIDOS_DORDRAE.L gathers the following specific information from an infected mobile phone:

• Device model
• Language and country
• International Mobile Equipment Identity (IMEI) number
• International Mobile Subscriber Identity (IMSI) number
• Software development kit (SDK) version
• List of installed apps

The malware also connects to several URLs in order to “phone home” and upload the stolen data. It also comes with a config file named prefer.dat where it stores encrypted URLs. The said file is found in the Asset folder of the package.

Read the rest of this entry »

We recently analyzed an Android OS malware that specifically targets China Mobile subscribers. China Mobile is a state-owned telecommunications service provider that is considered the world’s largest mobile phone operator.

The malware arrives through a link sent through SMS. The said message tells the China Mobile users to install a patch for their supposedly vulnerable devices by accessing the given link, which actually leads to a malicious file.

The malware, now detected as ANDROIDOS_ADSMS.SMA, obtains certain information about the affected devices such as IMEI number, phone model, and SDK version. Afterward, it connects to a certain URL to request for an XML configuration file. Studying the code of the said file, we found that the tags pertain to different kinds of values related to the malware’s routines.

Read the rest of this entry »