If The Droid Gets The (China’s) Flu

Last Updated on May 14, 2011

The thought of this night is dedicated to yet another couple of android malwares detected (as usual) in China.

It was a bit of time that the droid was not sick, however, as the change of season is often fatal to humans, so it is for the Androids which caught two new infections in few days.

On May, the 11^th, it was the turn of a new Trojan embedded, once again as in the case of the notorious DroidDream (but I’d rather say that malware is becoming a nightmare for the Google Creature) in official applications inside the Android Market. All the applications were published by the same developer, Zsone, and were suddenly removed by Google.

The Trojan, which affects Chinese users, is characterized by the ability to subscribe users in China to premium rate QQ codes via SMS without their knowledge. QQ codes, used primarily in China, are a form of short code that can subscribe users to SMS update or instant message services. The malware was embedded in 10 apps by the developer named Zsone available on the Android Market and alternative markets.

Once the user starts the app on their phone, the app will silently send an SMS message to subscribe the user to a premium-rate SMS service without their authorization or knowledge. This may result in charges to the affected phone owner’s mobile accounts. Even if the threat affects Chinese Android phone owners who downloaded the app from the Android Market, the total number of downloads attributed to this app in the Android Market has appeared to be under 10,000. All instances of the threat have been removed from the market.

On May, the 12^th, it was the turn of ANDROIDOS_TCENT.A, discovered by Trend Micro. This malware, which only affects China Mobile subscribers (the state-owned service provider considered the world’s largest mobile phone operator), arrived to users through a link sent through SMS, whose message invited the China Mobile users to install a patch for their supposedly vulnerable devices by accessing the given link, which actually led to a malicious file (fake AV have landed on mobile devices as well).

The malware is capable to obtain certain information about the affected devices such as IMEI number, phone model, and SDK version and connects to a certain URL to request for an XML configuration file.

Two very different infections, having a common origin from China: the first example emphasizes once again the breaches into the security and reputation model of the Android Market. The second one features a well established infection model who is rapidly gaining credit (and victims) also in the mobile world: the SMS phishing. I think we will often hear speaking about in the next months.

The two malware infections came a couple of days after the Malicious Mobile Threats Report 2010/2011 issued by Juniper Networks which indicated a 400% increase in Android malware since summer 2010 and other key findings, several of which were clearly found in the above mentioned infections:

App Store Threats: That is the single greatest distribution point for mobile malware is application download, yet the vast majority of smartphone users are not employing an endpoint security solution on their mobile device to scan for malware;
Wi-Fi Threats: Mobile devices are increasingly susceptible to Wi-Fi attacks, including applications that enable an attacker to easily log into victim email and social networking applications
17 percent of all reported infections were due to SMS trojans that sent SMS messages to premium rate numbers, often at irretrievable cost to the user or enterprise
Device Loss and Theft: according to the author of the report: 1 in 20 among the Juniper customer devices were lost or stolen, requiring locate, lock or wipe commands to be issued

Will it also be for these reasons that Smartphone security software market is expected to reach $2.99 billion by 2017? Maybe! Meanwhile I recommend to be very careful to install applications from parallel markets and in any case (since we have seen that this is not enough) to always check the application permissions during installation. Moreover, do not forget to install a security software if possible as the 23% of the droid users (among which there is me) does.