SMS Malware in Google Play Marketplace

An SMS Trojan was spotted in the Google Play marketplace, distributed via a series of wallpaper apps that may look legitimate at first glance but connect to a Dropbox account to download an additional package named “Activator.apk”.

On download, the package notifies the user it`s about to install and that “services that cost you money” are about to be used. Although it`s a one-time-only process, the “Activator.apk” immediately prompts for uninstall after sending the premium rated SMS messages so it can successfully hide its existence.

The screenshot below illustrates how “Activator.apk” is downloaded from a Dropbox account:

Beside Symantec’s previously detected apps named “Super Mario Bros” and “GTA 3 Moscow City”, Bitdefender Labs has found three other apps that exhibit the exact same behavior. We`ve already notified Google that “com.tor.FIFAHDWallpapers, “com.fff.FIFAHDWallpapers”, and “com.four.superMariowallpapers” should be taken down immediately because of their malicious nature.

Here`s a snapshot of one of the apps that we`ve asked Google to pull from the marketplace:

The Trojan acts by identifying the current mobile operator you`re subscribed to by matching two separate strings “[bBeEeE]*“ and “[mMtTsS]*“ and then it sends the “DEF1773″ SMS text to the “1518”, respectively “770656” phone numbers. If both operator strings are matched, the Trojan sends two premium SMS messages instead of one to the “3170” phone number.

Below you`ll find the code used to identify the carrier along with the phone numbers and text message used in the premium SMS scam:

Although the payload is limited to sending premium SMS messages, it raises the question of what else could be packed in the “Activator.apk” file if it should ever be replaced with a more aggressive or intrusive Trojan.

The apps avoided the automated screening process set in place by Google by allowing remote content to be accessed and downloaded. Multi-stage payloads are not uncommon, although we`ve rarely seen it used in legitimate Android apps.

Thus a Dropbox account is used to disseminate malware through apps that have already been approved by Google`s Marketplace. This raises serious security issues as seemingly legitimate applications are piggybacked and used for nefarious purposes. To stay safe, don’t forget to use mobile security software.

NOTE: Following our notification, Google pulled from the Google Play marketplace the three new apps that we’ve detected as exhibiting the same behavior.

All product and company names mentioned herein are for identification purposes only and are the property of, and may be trademarks of, their respective owners.

This article is based on the technical information provided courtesy of Ioan Lucian STAN , Malware Researcher.