New threat wants to subscribe your device to premium services.
A few months back, we reported on an Android malware targeting China Mobile subscribers by abusing premium services, and more recently, one that monitors for certain keywords in text messages. What’s the connection between these two? Well, recently we were able to analyze an Android malware sample that contains both of the previously mentioned routines.
Detected as ANDROIDOS_AUTOSUBSMS.A, this sample has been found in a Trojanized version of certain applications, and is still currently available for download in certain Chinese third-party app stores.
It installs the receiver named “util.Smsreceiver“, which executes everytime an infected device receives a message. It also asks for certain permissions that require the receiver to work. These permissions are not included in the original version of the application.
It monitors for received text messages bearing Chinese keywords translated as “reply random content” and “supermarket”. Once found, the malware will reply to the same message with one that has “Y” as its content. We suspect that what this malicious app does is wait for messages from providers that promote certain services, and the sending of the response is done to subscribe the user to the said premium service.
Since this is a premium service abuser, once a device is subscribed to a service, most mobile providers will automatically send a confirmation text message. In order to prevent the user from seeing the confirmation message, the malware also monitors for another set of keywords translated as “love laila”, “love to the”, and “supermarket”. If any of the said words exist in a received text message and it came from a phone number starting with “10658? and “10086?, the message will be deleted. The number “10658″ seems to be a premium number, while “10086″ is the service number for China Mobile.
Android users, especially China Mobile subscribers, are strongly advised to be very cautious in installing apps to their device. For more information on how to keep an Android-based mobile device safe from malicious apps like this, check our report “5 Simple Steps to Secure Your Android-Based Smartphones.”
Additional info by Mark Balanza, Julius Dizon and Chengkai Tao
Leave a reply