I have seen Android malware delete and send SMS messages but this is the first time I saw an Android malware act as an SMS relay.
My colleagues and I were recently able to analyze a sample of an Android malware that uses an infected device as a proxy for sending and receiving messages. Unlike most Android-specific threats we have recently seen, this one does not piggyback on legitimate Android apps. Once installed, it displays a blank window for a split second then immediately closes it.
This malware installs a service called FlashService. It employs two receivers called FlashReceiver and SMSReceiver, which are respectively triggered after a device boots up and when it receives an SMS message. FlashReceiver, which runs after a device boots up, starts the FlashService.
Receivers are functions that are executed when a specific Intent is received. Think of an Intent simply as an event. When a device received an SMS message, its OS will broadcast this event, which triggers the execution of all of the functions that are supposed to run every time the said event occurs.
FlashService is responsible for allowing the device to communicate with its server. As mentioned, it runs once the device boots up and connects to a certain URL in order to download an .XML configuration file. The code of the .XML configuration file the malware receives at the time of writing is shown below.