The Latest in IT Security

Android malware monitoring for messages sent to an infected device from specific numbers is something that we’ve frequently seen in the past. This is typically done by malware to intercept messages from premium numbers, in order to prevent the user from suspecting a malware infection in their device. The Android malware we recently saw however takes a different approach, and monitors for certain keywords contained in received SMS messages instead.

The said malware is a Trojanized version of a game called Coin Pirates, which according to our research was hosted in a Chinese app market. The Trojanized version has been pulled out of the market when we last checked.

Same with most Android malware, this Trojanized application, which Trend Micro detects as ANDROIDOS_PIRATES.A, asks for more permissions than its legitimate version, thus does more routines than the original application.

Installation

As its installation routine, ANDROIDOS_PIRATES.A registers 3 receivers: BootReceiver, AlarmReceiver, and SMSReceiver. BootReceiver and AlarmReceiver are both responsible for starting the service MonitorService, which enables the malware to communicate with its malicious server. SMSReceiver, on the other hand, executes everytime an SMS is received.

Information Theft

Once the receivers are installed, ANDROIDOS_PIRATES.A gets the following information from the affected device and sends them to the malicious server:

• device model
• SDK version
• IMEI
• IMSI

We were not able to connect to the server at the time of testing, so we resorted to code analysis at this point.

The code suggests that if the server replies to the device with the string “sendsms“, ANDROIDOS_PIRATES.A will send an SMS message containing the phone’s IMEI and device model to any of the following numbers:

• 13521419442
• 13552040604
• 13661258744
• 13521273944
• 13552040894
• 13520931794
• 13520234741
• 13520234194

Note that the aforementioned numbers are not premium numbers.Searching the Internet also shows that these numbers were possibly used by other/older malware.

SMS Monitoring

Also, this malware connects to its server to download data that will populate a database that the malware has installed in the affected device. The database contains a table called “blogconfig” which has 4 fields: BlogType, KeyWords, Charging, and IsConfirm.

The KeyWords field is set to contain strings that the malware watches for every time an SMS is received through the SMSReceiver. If the string matches, it is either deleted or uploaded to the server depending on the value of the IsConfirm field.

This is a new trick. As I mentioned earlier, older SMS-targeting Android malware use the originating number in filtering for certain text messages. This malware checks for keywords inside the body of the messages, resulting to a more targeted approach. In addition, the malware author can update the items in the KeyWords field.

Other capabilities of this malware include sending of SMS messages to a certain number, as well as adding a bookmark to the device’s browser, with specifics of both the SMS message and the bookmark URL depending on the response from the server.

User can check if they are affected by going to Settings>Applications>Running Services and check if MonitorService exists. Infected users can also manually remove the malware from their system by going to Settings>Applications>Manage Applications and then uninstall the malicious app.

For more information on how users can keep their Android device safe from malicious apps such as this one, check our report 5 Simple Steps to Secure Your Android-Based Smartphones.