NEWS FROM THE LAB - Thursday, September 8, 2011

New Android Riskware Posted by ThreatSolutions @ 11:41 GMT

We have just encountered a number of Android riskware applications that target subscribers in the China region.

The suspect applications cover a variety of topics, including horoscopes, farm and pet games/info and the Chinese calendar, to name a few. Below is a screenshot of the permissions requested by one of these applications:

Riskware:Android/MobileTX.A Permissions

However, some of the applications do not even look like what they claim to be and eventually crash (probably bad programming):

Riskware:Android/MobileTX.A, Force close

Before the application crashes however (and usually right after its execution), it will retrieve the phone's International Mobile Subscriber Identity (IMSI) number, then attempts to connect to a remote site:

  •  http://mobile.tx.com.cn:[...]/client.[...].do
  •  http://mobile.tx.com.cn:[...]/client/[...].do

It checks if the phone's IMSI already exists (at time of writing, the remote sites were still accessible).

If the application isn't able to access the remote site, or the site somehow returns an error response, it will proceed to send out an SMS message.

The SMS sending component first determines the phone's subscriber ID, then depending on the retrieved information, it will select a different recipient number that it will send the message.

The SMS body contains the following format:

  •  99# [ IMSI ]#android#[ app_specific_string ]

As of the moment, we're still investigating the implications of the application's behavior; this may or may not be another example of fraudulent SMS registration for services. Nevertheless, the fact that it automatically sends out an SMS with the phone's IMSI ID without the user's awareness or consent is something that is not very desirable.

This is aside from the possible charges incurred and and unwanted identification of the phone's number (when the other party receives the message).

We will detect these applications as Riskware:Android/MobileTX.A.


Updated to add: MD5 hash for the sample used for the screenshots in this post:

  •   60adc37a086caa8f53f2ce6b4d2a0c0b

Other samples:

  •   99dc3f2f0b5cd593ca1a388b419d9b69
  •   8d01bb974e06222948ed46bf68330fa9
  •   fa737722fa4eae53c399ba9c7e46d06e
  •   3f69ee38aad7cbf718d2620ce70c76b2

Threat Solutions post by — Jessie, Irene and Yeh