Malware Alert: SMS Trojan Masquerading as Retail Coffee Chain App
12.05.2013 20:03
Over the previous months, Avira malware analysts have detected an alarming rise in the number of malware designed specifically for Android users. Previously ignored, Android users, and perhaps more specifically Google Play customers, are becoming the favourite target of malware authors.
In light of this, Avira’s malware lab has stepped up its Android malware monitoring and has recently discovered a Korean-based SMS Trojan that hijacks SMS messages and forwards them to the author who then publishes those personal communications on a public website!
The malware is designed with an icon that looks nearly identical to a famous retail coffee chain’s easily recognizable logo. The apps claims to offer coupons, but don’t be fooled; it’s malware.
Here is how to tell if the app is fake.
1. If the user clicks the familiar application icon, a pop-up window displays this message:
This fake error message creates a false sense of security by claiming that the server is overloaded and unable to process the request right now. Only a legitimate app would give such a message-right? In fact that is just a clever social engineering trick. Don’t be fooled.
2. Once the message has been displayed, the application initiates a process that runs hidden in the background. The process then sends the user’s mobile number to a backend application running on the malware author’s webserver.
The URL:
hxxp://itxxxxxx.com/Android_SMS/installing.php
3. This next picture illustrates the process gathering mobile numbers and submitting them to the attacker’s own website.
4. As mentioned, the application can now monitor all the mobile phone’s incoming and outgoing SMS messages and forward them to the following address:
hxxp://itxxxxxx.com/Android_SMS/receiving.php
5. All the intercepted and stolen SMS messages and their originating phone numbers are posted to the aforementioned URL using “EUC-KR” character encoding, as shown in the following picture:
6. To make matters worse, the malicious application blocks future incoming SMS message and notifications. So the malware victim will not receive new SMS messages and remain unaware that their phone has been infected.
The following picture shows the application code responsible for the incoming message theft:
7. So far, the malicious application has only affected numbers with the Korean international calling code “+82”. Currently we have no reports of the code affecting any other regions.
