NEWS FROM THE LAB - Wednesday, June 1, 2011

Old Trojan Tricks on Android Posted by ThreatSolutions @ 02:58 GMT

We recently did an analysis on a trojan, AdSMS, that's been spreading for the last week or so and thought it might make an interesting contrast to the rash of trojanized Android apps that we've been seeing lately.

AdSMS is distributed via a malicious link in a spammed SMS message. The malware appears to be targeted to Android users in mainland China, as the SMS is faked up to look like it's from a major Chinese telecom network and the download link deliberately spoofs a domain name associated with the network.

AdSMS is promoted as an "update for a security vulnerability". Sounds like a throwback to the old Symbian trojans (e.g. Merogo and MapUp), which used this exact same distribution and social engineering strategy.

If the user clicks the link, the malware is downloaded. These are the permissions the trojan requests:


An update that needs to send SMS messages? Hopefully an alert user would notice that and suspect something's amiss.

Once installed, AdSMS doesn't add an icon for itself on the application menu; it just runs silently in the background. Users need to check the Setttings > Applications > Manage Applications menu to see if it's present, under the name "andiord.system.providers":

Again, an old trick, though in this case previously seen in mobile espionage suites such as Phone Creeper and Flexispy. Incidentally, once on the Manage Applications menu, users can uninstall the trojan as per a normal application.

Once installed, the trojan steals phone details, connects to a remote site to download more files. It also has the capacity to read, write and send SMS messages, much like the preceding Trojan:AndroidOS/Fakeplayer.A.

So there's nothing new about this trojan's tricks per se, but it's one of the first we've seen on the Android platform to try some of them.

Our Android security product detects this as Trojan:AndroidOS/AdSMS.A.

Threat Solutions post by — Irene