Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:

  • Mobile Vulnerabilities

  • Zero-Day Alerts

  • Recent Posts

  • Calendar

    September 2015
    S M T W T F S
    « Aug    
  • Email Subscription

  • About Us

    Click for larger view
    A new threat wants to subscribe your device to premium services.

    A few months back, we reported about an Android malware targeting China Mobile subscribers by abusing premium services, and more recently, one that monitors for certain keywords in text messages. What’s the connection between these two? Well, we were able to analyze an Android malware sample that does both of the previously mentioned routines.

    Detected as ANDROIDOS_AUTOSUBSMS.A, this sample was found in Trojanized versions of certain applications, which are still currently available for download in certain Chinese third-party app stores.

    It installs the receiver called util.Smsreceiver, which executes every time an infected device receives a message. It also asks for certain permissions that the receiver requires to work. These permissions are not included in the app’s original version.

    As mentioned earlier, this malware abuses premium services and monitors text messages for certain keywords. Unlike the Trojanized Coin Pirates app, however, it does not monitor for keywords for spying purposes but does so in order to subscribe infected devices to premium services.

    It screens the text messages infected devices receive for Chinese keywords that translate to “reply random content” and to “supermarket.” Once found, the malware replies with “Y” to the messages. We think this malicious app waits for text messages from providers that promote certain services and sends responses in order to subscribe affected users to the premium services they offer.

    Since this malware is a premium service abuser and since premium service providers automatically send confirmation messages to users upon subscription, it also watches out for another set of keywords that translate to “love comes,” “love is here”, and “supermarket” to evade detection. If any of the said words exist in a text message that was sent by phone numbers that begin with “10658” and “10086,” the said messages will be deleted. The number “10658” seems to be a premium number while “10086” is China Mobile’s service number.

    Android-based device users, especially China Mobile subscribers, are strongly advised to be very cautious when installing apps. For more information on keeping your mobile devices safe from malicious apps like this, check out our e-book, “5 Simple Steps to Secure Your Android-Based Smartphones.”

    Additional information by Mark Balanza, Julius Dizon, and Chengkai Tao

    Updated August 18, 2011 4:48 AM PST for the proper translation of key words.

    Share this article
    Get the latest on malware protection from TrendLabs
    Email this story to a friend   Technorati   NewsVine   MySpace   Google   Live   StumbleUpon

    Comments are closed.


    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice