We recently encountered ANDROIDOS_SMSZOMBIE.A, an Android Trojan targeting China Mobile subscribers that takes control of a device’s SMS functionality. It can send, forward, and drop SMS messages. What makes this more troubling for users is the fact that this malware is difficult to uninstall. A dedicated removal tool will be released to Google Play and Chinese app stores next week.
As other researchers have noted, this Trojan takes advantage of a vulnerability in the China Mobile SMS payment process to generate unauthorized payments, steal bank card numbers and money transfer receipt information.
How does this threat arrive on user devices? It is usually wrapped by a wallpaper app. Once installed, it can be enables by clicking Menu > Wallpaper > Live Wallpapers.
After the live wallpaper has been enabled, the user is asked to install the Trojan (which is described instead as a “game”, complete with 100 free points).
Once installed, the malware will ask to activate itself as a device administrator. The malware claims that by doing this, it will save power. If the user clicks the cancel or return buttons, the alert appears again. Only after the Trojan has been activated as a device administrator, will it let the user return to their main screen.
As previously mentioned, this particular Trojan is quite difficult to uninstall. Using Android’s own uninstall function simply redirects the user to their home screen, without an opportunity to select the app to be uninstalled. Even if a third-party app is used in an attempt to uninstall the Trojan, it can’t be removed because it’s still active as a device administrator. If the user pushes through with the attempt to deactivate it as an administrator, the Trojan will say that deactivating it will cause system errors. If the user deactivates it, the Trojan will keep prompting the user to reactivate it again.
What does this app do once it is installed on the user’s device? When first run, it sends the app version and device information (model, OS, language, network) to a “control number” via SMS.
Once running, it has the following capabilities:
- Forward every received SMS message
- Drop SMS which contains words in a configurable list
- Send SMS messages
- “Write” an SMS message into the inbox
All of these capabilities are controlled via SMS messages sent by the attacker to the device. These instructions are all in the following XML format:
|S||change the currently configuration|
|J||write the currently to phone.xml|
|M||send SMS with value specified by tags con and rep|
|con||set SMS content|
|rep||set SMS number|
|E||write a SMS to inbox with value specified by xgh and xgnr|
|xgh||set sms number|
|xgnr||set sms content|
For example, if the attacker wants to send a SMS from the infected device to China Mobile, he can send the following content to the device:
Configuration files are in XML format as well:
This particular file shows the default control number, default content keywords (转, 卡号, 姓名, 行, 元汇, 款, hello), and default number keyword of “10″.
|n||keyword in SMS content, if it contains the keyword, this Trojan will drop the message|
|zdh||keyword in number, if an SMS is from this number, the message will be dropped and not received by the user.|
How does this app prevent itself from being uninstalled? It does the following actions to do this:
- The wrapper app will check the Trojan’s state. If the Trojan is uninstalled the wrapper app will ask the user to install the Trojan. Alternately, if the Trojan is stopped, the wrapper will restart the service.
- If any of the Trojan’s service are stopped, it will start the service again.
- If any of the following are opened, the user will be returned to their home screen:
- Device administrator settings
- Trojan’s application detail
- The app 360safe
- If the Trojan is not active as a device administrator, it will keep asking to be activated as such.
- When the Trojan is deactivated from being a device administrator, the user is led to believe that deactivating it will cause errors.
Here are the steps you need to perform to manually uninstall this malware:
- First of all, uninstall the wrapper wallpaper app.
- Use a third-party app to terminate android.phone.com.
- Deactivate the Trojan from being a device administrator. Ignore any warnings by pressing the home button.
- Terminate android.phone.com again.
- Uninstall the Trojan normally.
To automate the above process, Trend Micro will release a dedicated detection and removal app. We will update this post with a link to the said tool once it has been released.