Threat Research

SMS Worm Runs Wild in Singapore

Summary

SingCert, Singapore’s Computer Emergency Response Team, published an advisory yesterday identifying a malicious Android app that spreads via SMS. Once installed, the malware simply displays a photo to the user (shown in Figure. 1), which, once the user clicks the back or home button, hides itself from the user interface forever. However, the now- hidden malware will automatically send text messages every eight seconds to people on the victim’s contact list (shown in Figure. 2) and launch ad libraries every five minutes.

These text messages contain a shortened URL luring SMS receivers to click it and install the harmless-looking app PhotoView.apk – the malware – presumably so the recipient can view a photo of them. The malware sends out SMS messages in a similar fashion to the well-known ransomware “Koler” but has a totally different implementation.

Figure 1: The photo displayed when the victim launches the app. It does nothing but show this photo, and, once the user clicks the back or home button, the app icon disappears forever.

Figure 2: Screenshot of the phishing SMS sent from the victim

Code Analysis

Upon the user closing out the application after opening it, the first thing the malware does is remove the icon from the UI:          

setComponentEnabledSetting(getComponentName(),

    PackageManager.COMPONENT_ENABLED_STATE_DISABLED,

    PackageManager.DONT_KILL_APP);

After that, it sets a recurring alert to repeatedly (every five minutes) launch ad libraries, including: StartApp, Admob, Inmobi, MobFox, Millennialmedia, Umeng, Airpush, and more. We extracted all the ad developer IDs (used for the remote ad servers to identify and reward the developer integrating the corresponding ad libraries in the app) that belong to the malware author, as shown below.

Ad library

Ad Developer ID

StartApp

DeveloperID: 104434853

ApplicationID: 206017540

Admob

admob_banner: ca-app-pub-2544528252222734/8978623200

admob_inter: ca-app-pub-2544528252222734/2932089606

Inmobi

inmobi_id: a0ca224185c4429bbffa34967dc3a4b7

MobFox

mobfox_pub_id: 5d9c3d6079153a2188b04aa62d7db679

Millennialmedia

BANNER_APID: 175010

INTERSTITIAL_APID: 175021

INTERSTITIAL_TABLET_APID: 175020

Umeng

UMENG_APPKEY: 541d4204fd98c518c202eb1b

UMENG_CHANNEL: 6868android_mms2.0

Airpush

APPID: 143053

APIKEY: 1352602889123642875

Waps

waps_id: 2de6b5c3f12f6bf84dac1b3d6039d255

TapForTap

TapForTap_id: 44f33d03caf6bfac1426e6230b1cf5e9

As of this writing, those Ad Developer IDs are still alive. Such info can help ad providers and security vendors to further identify and block malware from the same developer or organization.

Next, the malware checks to see if the network connection is active. If so, it tries to load three parameters from the SharedPreference object. If it’s launched for the first time (in which case the SharedPreference would be empty), it finds the following three parameters and saves them in the SharedPreference object:

●      “u”       =>        URL (URL to be sent in the SMS)

●      “t”        =>        text  (text body to be sent in the SMS)

●      “n”       =>        total (the number of contacts to send SMS to)

Afterwards, it calls a method named “lunxun()” – which means polling in Chinese. If it’s the first launch of the malware, it scans the contact list and randomly selects at most n phone numbers. Otherwise it sets an alert to repeatedly wake itself up and send texts and URLs to those randomly selected contacts.

The spamming SMS follows this phishing formula:

“XXX (victim’s name, obtained from the contact list) Is this your photo? (spamming text) http://url7[.]me/tiNk1 (shortened spamming URL).”

The spamming text plays off of contacts sharing and viewing photos of each other, tricking those randomly selected victim contacts to download and install the malware by clicking the URLs above and allowing further spread. Currently the malicious domain hosting the above URLs has been taken down.

To avoid detection, the malware’s activity remains disabled (keeping the app icon unseen as well) even if the victim reboots the device. However, since the user launched the app once, the Android system allows the recurring alert service to repeatedly wake up the malware’s receiver to send SMS and serve ads.

Suggestions

■      Never click on suspicious links from emails/SMS/websites. Although the domain has been taken down so that this malware sample will not work anymore, there are still lots of malware in the wild spread via spamming/phishing links.

■      Install a mobile security app that can detect and clean such malware immediately. FireEye Mobile Security products can detect the existence of such malware and clean them immediately, or use FireEye Mobile Threat Prevention to scan suspicious apps.

Appendix: Malware Information and Domain Registration Information

Apk information

MD5:                            f6d3a35be0366eb994a0425a15871f5b

SHA256:                      8a50fa660c0d926bc48552c93ebda7a3f1bd119d14b89714d22f04e4e2564df8

Package Name:           com.android.mms20

Domain Information

Domain Name: 6868ANDROID.COM

Creation Date: 2014-11-13T09:30:00.00Z

Registrar Registration Expiration Date: 2015-11-13T09:30:00.00Z

Registrant Name: ZHUHAI JIANG

Registrant Street: QIXINGQUJINGXINGLU2HAO

Registrant City: GUILIN

Registrant State/Province: GUANGXI

Registrant Postal Code: 541000

Registrant Country: CN

Registrant Phone: +86.18256345289

Registrant Email: DOAPPS@163.COM