The majority of Android malware continues to target Android devices that permit the installation of apps beyond the official Google Play Store. Often, the malicious Android apps are delivered via third party app stores, but we do also see rogue apps delivered directly from malicious sites. Recently, we came across a fake porn site which is serving a Chinese SMS Trojan.
baidu-google{-}sogou-soso-360-qq.lrh6.com/cdn/index.html?l{}=banmeng&uid=3002&t=ar
 |
| Malware payload. |
The above screenshot shows the malicious APK file being downloaded following user acceptance. When a user visits the page and attempts to view a video they will then be prompted to install an app. The user is social engineered into believing that installing the app is necessary to view the video, but in doing so, they are actually installing the malicious app that will carry out SMS fraud.
File Info:
File Info:
Name: GA2161.apk
Size: 0.9 MB.
Package name: iickcf.ndakik.feockk.gcahbp.oefdnc.omeonn
Interestingly, the payload filename is dynamically generated and will change with each new download. This is likely an attempt to bypass basic blocking of a known malicious app name.
 |
| Changing APK names |
Upon successful infection, the following icon is visible to the end user on their mobile phone:
 |
|
Icon of installed malware
|
The malware then declares a Broadcast Receiver, which is registered to intercept all future SMS messages received by the user. The received message is analyzed by the malware to determine where it was received from. Once the sender's identity is confirmed, it parses the content of the received messages and matches it against certain hardcoded message strings as seen below:
 |
| Receives SMS. |
The following is the list of hardcoded Chinese message strings and their English translations:
 |
| Hardcoded message strings. |
 |
| Translated Chinese message strings [Credit: Google] |
The intention of the malware author is clear from these message strings. The app generates fraudulent transactions from an infected device by purchasing on-demand videos and premium SMS services controlled by the attacker. SMS messages are generated by the app to initiate a purchase. The app then monitors incoming SMS messages to identify the purchase validation message, which must be accurately responded to in order to complete the transaction. When the validation message has been intercepted, it is parsed and matched against the hardcoded strings in the image above, to determine and submit the appropriate response. Once this occurs, the transaction is complete and the victim will be charged by their mobile provider.
The malware also leverages the International Mobile Subscriber Identity (IMSI) property for determining the location of the device, as well as service provider information as seen below:
 |
| SMS Trojan Fraud cycle |
 |
| SMS send function. |
 |
| Checks for IMSI. |
After a successful SMS send operation, the app submits a POST request to its Command & Control (C2) server 'msg-web.pw' on port 8456.
 |
| Post request. |
The app sends the following information to the C2 server:
 |
| Post request capture. |
We were able to observe portions of the C2 server panel used by the malware author due to a lack of authentication applied to specific web pages. The administration panel used to manage the Trojan can be seen in the screenshots below:
 |
| C&C Panel Login |
 |
|
C&C Panel Actions
|
It also sends the same information to IP Address 115.28.252.178, which appears to be an alternate C2 server for the same Trojan:
 |
|
Portal 3
|
 |
|
Post request.
|
The malicious app then sends a POST request checking for updates and in response, receives a URL pointing to a JAR file named "firstpay_v7.0.jar" as seen below:
 |
| Jar file location |
This jar file consists of a Dex file which is capable of running on the infected mobile device as seen below:
 |
| Dex execution. |
Below you can see the warning message displayed by the phone when sending an SMS message which may incur additional charges.
 |
| Money warning |
Conclusion
This malware is yet another addition to the Android SMS Trojan Family. It scams the user by purchasing subscriptions for porn services, on-demand videos and sending premium rate SMS messages. SMS fraud remains the most common form of monetization that we see with malicious mobile apps and it is almost exclusively a problem on the Android platform. One simple yet effective defense, involves restricting app installation to reputable App stores such as those operated by Google & Amazon.
Research & Analysis by Viral and Shivang.
