NEWS FROM THE LAB - Thursday, August 22, 2013

Android Malware goes SMTP Posted by SecResponse @ 07:12 GMT

Before we get to thinking that nothing is new under the Android malware sun, we get a small, but quite interesting surprise. An android malware that connects to SMTP servers to send an e-mail.

Other than the SMTP-usage, the malware is pretty vanilla. Upon installation, the application asks the user to activate device administrator to stay persistent in the mobile device. This threat does not add any significant icons in the application menu, rather the user would need to check the Application Manager before finding out that there is an app masquerading as "Google Service".

mobile1 (138k image)

After installation, the application will collect sensitive user information such as phone number, incoming and outgoing SMS, and recorded audio to an email address. Then it makes use of SMTP servers, particularly smtp.gmail.com, smtp.163.com and smtp.126.com to send the stolen data. I smell something very China-ish here…

code (169k image)

Below is a screenshot of the threat's attempt to connect to an SMTP server:

smtp (161k image)

This threat was found to be usually downloaded in third party Android markets or malicious websites. We first saw this malware family a month ago, but has been active since. We're already detecting this threat as Trojan:Android/SMSAgent.C.

msms_android (59k image)

Sha1: f04dff1859c9cf43260020b1e4dbbe979fe1bcc1

Post by — Swee Lai