We have just encountered a number of Android riskware applications that target subscribers in the China region.
The suspect applications cover a variety of topics, including horoscopes, farm and pet games/info and the Chinese calendar, to name a few. Below is a screenshot of the permissions requested by one of these applications:
However, some of the applications do not even look like what they claim to be and eventually crash (probably bad programming):
Before the application crashes however (and usually right after its execution), it will retrieve the phone's International Mobile Subscriber Identity (IMSI) number, then attempts to connect to a remote site:
It checks if the phone's IMSI already exists (at time of writing, the remote sites were still accessible).
If the application isn't able to access the remote site, or the site somehow returns an error response, it will proceed to send out an SMS message.
The SMS sending component first determines the phone's subscriber ID, then depending on the retrieved information, it will select a different recipient number that it will send the message.
The SMS body contains the following format:
• 99# [ IMSI ]#android#[ app_specific_string ]
As of the moment, we're still investigating the implications of the application's behavior; this may or may not be another example of fraudulent SMS registration for services. Nevertheless, the fact that it automatically sends out an SMS with the phone's IMSI ID without the user's awareness or consent is something that is not very desirable.
This is aside from the possible charges incurred and and unwanted identification of the phone's number (when the other party receives the message).
We will detect these applications as Riskware:Android/MobileTX.A.
Updated to add: MD5 hash for the sample used for the screenshots in this post: