An SMS Trojan was spotted in the Google Play marketplace, distributed via a series of wallpaper apps that may look legitimate at first glance but connect to a Dropbox account to download an additional package named “Activator.apk”.
On download, the package notifies the user itâ€™s about to install and that â€œservices that cost you moneyâ€ are about to be used. Although itâ€™s a one-time-only process, the “Activator.apk” immediately prompts for uninstall after sending the premium rated SMS messages so it can successfully hide its existence.
The screenshot below illustrates how â€œActivator.apkâ€ is downloaded from a Dropbox account:
Beside Symantec’s previously detected apps named â€œSuper Mario Brosâ€ and â€œGTA 3 Moscow Cityâ€, Bitdefender Labs has found three other apps that exhibit the exact same behavior. Weâ€™ve already notified Google that â€œcom.tor.FIFAHDWallpapers, â€œcom.fff.FIFAHDWallpapersâ€, and â€œcom.four.superMariowallpapersâ€ should be taken down immediately because of their malicious nature.
Hereâ€™s a snapshot of one of the apps that weâ€™ve asked Google to pull from the marketplace:
The Trojan acts by identifying the current mobile operator youâ€™re subscribed to by matching two separate strings â€œ[bBeEeE]*â€ and â€œ[mMtTsS]*â€ and then it sends the â€œDEF1773â€ SMS text to the â€œ1518â€, respectively â€œ770656â€ phone numbers. If both operator strings are matched, the Trojan sends two premium SMS messages instead of one to the “3170” phone number.
Below youâ€™ll find the code used to identify the carrier along with the phone numbers and text message used in the premium SMS scam:
Although the payload is limited to sending premium SMS messages, it raises the question of what else could be packed in the â€œActivator.apkâ€ file if it should ever be replaced with a more aggressive or intrusive Trojan.
The apps avoided the automated screening process set in place by Google by allowing remote content to be accessed and downloaded. Multi-stage payloads are not uncommon, although weâ€™ve rarely seen it used in legitimate Android apps.
Thus a Dropbox account is used to disseminate malware through apps that have already been approved by Googleâ€™s Marketplace. This raises serious security issues as seemingly legitimate applications are piggybacked and used for nefarious purposes. To stay safe, don’t forget to use mobile security software.
NOTE: Following our notification, Google pulled from the Google Play marketplace the three new apps that we’ve detected as exhibiting the same behavior.
All product and company names mentioned herein are for identification purposes only and are the property of, and may be trademarks of, their respective owners.
This article is based on the technical information provided courtesy of Ioan Lucian STAN , Malware Researcher.