In our 1Q Threat roundup report, we noted that the number of mobile malware and high-risk applications reached the two-million mark and is rapidly growing. In our monitoring of the mobile threat landscape, we have recently discovered an Android malware that is spreading fast in Taiwan, detected as ANDROIDOS_RUSMS.A.
Mobile users fall victim via SMS spam attack. Users receive an SMS in order to lure them to install the malicious app. The messages read as follows:
您正在申請網上支付103年3月電費共計480元，若非本人操作，請查看電子憑證進行取消 (malicious link)
您的快遞簽收通知單, (malicious link)
Translated into English, these read as:
- You are applying to have your March 2014 electricity bill paid online with a total amount of 480 Yuan. If you did not apply for this, please see the electronic certificate to cancel this action (malicious link)
- Your express delivery notice, (malicious link)
It’s worth noting that the first message uses security as its social engineering lure. Cybercriminals may have opted to use security warnings as the lure because users will be more inclined to click links in order to stop the supposed activity.
The links lead to the malicious app. Once installed, the malicious app may send SMS, as well as intercept incoming ones. To profit from this, the attackers try to use micropayment schemes provided by mobile carriers. These schemes are similar to premium SMS program, however, they require a confirmation message from the user.
In a normal micropayment scheme, a user who shops online would have to fill out the online site’s electronic information sheet (including phone numbers). Online transactions would then have to be verified and confirmed via SMS with which a confirmation code is included to finalize the entire transaction.
Because this malware intercepts the SMS confirmation, the victims are not aware of the charges they incur. The malware blocks the SMS if the SMS address contains any of the specific characters listed below:
The blocked SMS is then forwarded to a specified IP address, allowing the attacker to complete the fraudulent transaction.
In addition, the malware also sends the contents of the user’s contacts list to a remote server. As part of its social engineering tactic, this malware is disguised as a Google app named Google Service Framework. However, the legitimate app is named Google Services Framework. They are so similar that most people will not notice.
When installed, this malware starts a service that periodically checks a remote server. If data is returned, the data is parsed to form an SMS, which it sends out immediately. This allows the attacker to sign the victim up for various premium services without their consent.
The malware has two features to make detection and analysis more difficult. First, it requests the user to give them administrator privileges.
Figure 1. Requesting administrator privileges
If the user chooses ‘Activate’, the malicious app cannot be uninstalled directly. Users need to disable it first in the Settings>Security>Device administrators.
Second, it is designed to check whether it runs inside an Android emulator. It does not perform any of its malicious behavior if it is running inside; this behavior is similar to some techniques we’ve seen done by desktop malware.
Another malware uses a similar disguise. This one disguises itself as Google Services Framework, the same name as the legitimate app. However, the version is different. The malicious app uses version 1.0, while the legitimate Google application uses part of the Android version (like,for instance, 4.2.2-721232). This was detected as ANDROIDOS_RUSMS.HAT.
Figure 2. Incorrect version number
This particular variant also uses techniques to make detection and analysis more difficult. It is protected by an APK packer, which employed a self-modification technology. This means that the original code is encrypted and the unpacker code injected. When the app is launched, the unpacker code is run first. It then dynamically decrypts itself and recovers the original code in the memory.
Since the original code cannot be run or analyzed directly, this makes detection and analysis difficult. However, this technique is not limited to malicious apps: legitimate apps also use this to protect their apps. Ironically, this is meant to prevent malicious app developers from acquiring a legitimate app and tampering with it to add malicious code.
These threats are most prevalent in Taiwan, with more than 97% of all victims being locals. The malicious links leading to ANDROIDOS_RUSMS.A alone have been visited almost 32,000 times.
To avoid mobile devices being infected by this type of Android malware, we recommend against installing apps from suspicious third-party app stores. Users can protect their devices from being automatically installed with unknown apps by unchecking the option in Setting>Security>Unknown Sources. Trend Micro protects users from this threat with Trend Micro Mobile Security that detects malicious apps.