Summary
SingCert, Singapore’s Computer Emergency Response Team, published an advisory yesterday identifying a malicious Android app that spreads via SMS. Once installed, the malware simply displays a photo to the user (shown in Figure. 1), which, once the user clicks the back or home button, hides itself from the user interface forever. However, the now- hidden malware will automatically send text messages every eight seconds to people on the victim’s contact list (shown in Figure. 2) and launch ad libraries every five minutes.
These text messages contain a shortened URL luring SMS receivers to click it and install the harmless-looking app PhotoView.apk – the malware – presumably so the recipient can view a photo of them. The malware sends out SMS messages in a similar fashion to the well-known ransomware “Koler” but has a totally different implementation.
Figure 1: The photo displayed when the victim launches the app. It does nothing but show this photo, and, once the user clicks the back or home button, the app icon disappears forever.
Figure 2: Screenshot of the phishing SMS sent from the victim
Code Analysis
Upon the user closing out the application after opening it, the first thing the malware does is remove the icon from the UI:
setComponentEnabledSetting(getComponentName(),
PackageManager.COMPONENT_ENABLED_STATE_DISABLED,
PackageManager.DONT_KILL_APP);
After that, it sets a recurring alert to repeatedly (every five minutes) launch ad libraries, including: StartApp, Admob, Inmobi, MobFox, Millennialmedia, Umeng, Airpush, and more. We extracted all the ad developer IDs (used for the remote ad servers to identify and reward the developer integrating the corresponding ad libraries in the app) that belong to the malware author, as shown below.
Ad library |
Ad Developer ID |
StartApp |
DeveloperID: 104434853 ApplicationID: 206017540 |
Admob |
admob_banner: ca-app-pub-2544528252222734/8978623200 admob_inter: ca-app-pub-2544528252222734/2932089606 |
Inmobi |
inmobi_id: a0ca224185c4429bbffa34967dc3a4b7 |
MobFox |
mobfox_pub_id: 5d9c3d6079153a2188b04aa62d7db679 |
Millennialmedia |
BANNER_APID: 175010 INTERSTITIAL_APID: 175021 INTERSTITIAL_TABLET_APID: 175020 |
Umeng |
UMENG_APPKEY: 541d4204fd98c518c202eb1b UMENG_CHANNEL: 6868android_mms2.0 |
Airpush |
APPID: 143053 APIKEY: 1352602889123642875 |
Waps |
waps_id: 2de6b5c3f12f6bf84dac1b3d6039d255 |
TapForTap |
TapForTap_id: 44f33d03caf6bfac1426e6230b1cf5e9 |
As of this writing, those Ad Developer IDs are still alive. Such info can help ad providers and security vendors to further identify and block malware from the same developer or organization.
Next, the malware checks to see if the network connection is active. If so, it tries to load three parameters from the SharedPreference object. If it’s launched for the first time (in which case the SharedPreference would be empty), it finds the following three parameters and saves them in the SharedPreference object:
● “u” => URL (URL to be sent in the SMS)
● “t” => text (text body to be sent in the SMS)
● “n” => total (the number of contacts to send SMS to)
Afterwards, it calls a method named “lunxun()” – which means polling in Chinese. If it’s the first launch of the malware, it scans the contact list and randomly selects at most n phone numbers. Otherwise it sets an alert to repeatedly wake itself up and send texts and URLs to those randomly selected contacts.
The spamming SMS follows this phishing formula:
“XXX (victim’s name, obtained from the contact list) Is this your photo? (spamming text) http://url7[.]me/tiNk1 (shortened spamming URL).”
The spamming text plays off of contacts sharing and viewing photos of each other, tricking those randomly selected victim contacts to download and install the malware by clicking the URLs above and allowing further spread. Currently the malicious domain hosting the above URLs has been taken down.
To avoid detection, the malware’s activity remains disabled (keeping the app icon unseen as well) even if the victim reboots the device. However, since the user launched the app once, the Android system allows the recurring alert service to repeatedly wake up the malware’s receiver to send SMS and serve ads.
Suggestions
■ Never click on suspicious links from emails/SMS/websites. Although the domain has been taken down so that this malware sample will not work anymore, there are still lots of malware in the wild spread via spamming/phishing links.
■ Install a mobile security app that can detect and clean such malware immediately. FireEye Mobile Security products can detect the existence of such malware and clean them immediately, or use FireEye Mobile Threat Prevention to scan suspicious apps.
Appendix: Malware Information and Domain Registration Information
Apk information
MD5: f6d3a35be0366eb994a0425a15871f5b
SHA256: 8a50fa660c0d926bc48552c93ebda7a3f1bd119d14b89714d22f04e4e2564df8
Package Name: com.android.mms20
Domain Information
Domain Name: 6868ANDROID.COM
Creation Date: 2014-11-13T09:30:00.00Z
Registrar Registration Expiration Date: 2015-11-13T09:30:00.00Z
Registrant Name: ZHUHAI JIANG
Registrant Street: QIXINGQUJINGXINGLU2HAO
Registrant City: GUILIN
Registrant State/Province: GUANGXI
Registrant Postal Code: 541000
Registrant Country: CN
Registrant Phone: +86.18256345289
Registrant Email: DOAPPS@163.COM
