NEWS FROM THE LAB - Thursday, June 2, 2011

Quick Snapshot of Trojan:AndroidOS/AdSMS.B Posted by ThreatSolutions @ 09:24 GMT

Ever since we got wind of a variant of an AdSMS trojan with more aggressive functionalities making the rounds in various online forums, we've been on the lookout for more samples to analyze.

It hasn't been easy — there was a report of "more than 20 Android apps" being identified, but most of them seem to have been pulled out of circulation already. A lot of heavy forum trawling was required, which is a good thing for most users — it's not easy to get this trojan.

Analysis is still ongoing, but here are a few snippets based on the samples we have:

As before, the malware is a trojanized version of a legitimate app. For this sample, it was a paper toss game. For a simple game though, the permissions it requests are suspicious:


An alert user should be suspicious when a game says it needs to send SMS messages and read your personal information.

Once installed, the trojan is designed to prompt the user to "update" the program to a new version, with a "lightning update in 1 second" (?):

update request

Once updated, the device is restarted and the malware is successfully installed under "com.android.battery", though it lists itself as appsms.apk in the application folder.

The trojan contains a known exploit, rageagainstthecage, for gaining root access and will run four malicious classes as services in the background: Adsms.Service, SystemPlus, MainRun and ForAlarm.


Other functionalities appear to be as reported, though we'll be continuing analysis — and hunting for more samples. We will be detecting this as Trojan:AndroidOS/AdSMS.B.

Threat Solutions post by — Irene