The Latest in IT Security

Premium Abusers Also Check for Keywords


New threat wants to subscribe your device to premium services.

A few months back, we reported on an Android malware targeting China Mobile subscribers by abusing premium services, and more recently, one that monitors for certain keywords in text messages. What’s the connection between these two? Well, recently we were able to analyze an Android malware sample that contains both of the previously mentioned routines.

Detected as ANDROIDOS_AUTOSUBSMS.A, this sample has been found in a Trojanized version of certain applications, and is still currently available for download in certain Chinese third-party app stores.

It installs the receiver named “util.Smsreceiver“, which executes everytime an infected device receives a message. It also asks for certain permissions that require the receiver to work. These permissions are not included in the original version of the application.

As mentioned earlier, this malware abuses premium services and monitors for certain keywords in text messages. Unlike the Trojanized Coin Pirates app, however, the monitoring for keywords is not for spying, but for subscribing the device to premium services.

It monitors for received text messages bearing Chinese keywords translated as “reply random content” and “supermarket”. Once found, the malware will reply to the same message with one that has “Y” as its content. We suspect that what this malicious app does is wait for messages from providers that promote certain services, and the sending of the response is done to subscribe the user to the said premium service.

Since this is a premium service abuser, once a device is subscribed to a service, most mobile providers will automatically send a confirmation text message. In order to prevent the user from seeing the confirmation message, the malware also monitors for another set of keywords translated as “love laila”, “love to the”, and “supermarket”. If any of the said words exist in a received text message and it came from a phone number starting with “10658? and “10086?, the message will be deleted. The number “10658″ seems to be a premium number, while “10086″ is the service number for China Mobile.

Android users, especially China Mobile subscribers, are strongly advised to be very cautious in installing apps to their device. For more information on how to keep an Android-based mobile device safe from malicious apps like this, check our report “5 Simple Steps to Secure Your Android-Based Smartphones.”

Additional info by Mark Balanza, Julius Dizon and Chengkai Tao

Leave a reply



Mission-Critical Broadband – Why Governments Should Partner with Commercial Operators:
Many governments embrace mobile network operator (MNO) networks as ...

ARA at Scale: How to Choose a Solution That Grows With Your Needs:
Application release automation (ARA) tools enable best practices in...

The Multi-Model Database:
Part of the “new normal” where data and cloud applications are ...



Latest Comments