When your purchase a mobile device, you expect the device to be free of digital threats, clear of virues, and otherwise safe to use. According to aG Data Mobile Malware Report for Q2 of 2015, more than 20 smartphone models were identified to contain modified or manipulated versions of common apps such as Facebook:
What are we dealing with here?
The modified apps contained additional functions, making them potentially harmful or malicious. Examples of added behavior included:
- Accessing the Internet
- Acquire and send SMS content
- Install apps
- Access, store, and modify call data and data about the smartphone
- Access the list of contacts
- Obtain GPS location data, and other functions
By allowing the above listed behavior, a remote attacker could use the modified app to do any of the following:
- Help obtain location information
- Record phone calls
- Make app store purchases
- Initiate wire fraud
- Send premium SMS messages, and a lot more
So far, there are two threat families involved with the G Data research:
This begs the question – how is malware installed on the mobile device? The answer may surprise you – “middle-men”. G Data offers that the logical explanation to getting malware installed is the use of middle men that write apps to the firmware, or device ROM.
In China, some low-end mobile devices are sold at a low cost. The device manufacture makes money not only from the consumer, but also from developers – the developers pay manufacturers to install their apps. This practice illustrates a “grey industry” in China.
Customized ROM (firmware) is not difficult to acquire. Also, in order to take advantage of the financial gains involved in distributing malware via the grey industry, some companies dump the ROM from an official device, add or modify the apps in the ROM, then burn a new ROM to the device. The ROM can be distributed on forums as well. This could prove enticing to a consumer that searches the Internet for the newest “features” and “updates” for their device.
We took a look at a sample of the malware Andup to learn more about its behavior. The sample we analyzed was a modified version of the social app Facebook. It included other features not found in the official version, for example, to take a record of which applications are currently installed on the device. The trojan contains another function to download and install 3rd party apps via a command & control mode.
One major hint that the app wasn’t legit was the developer’s certificate indicated it is not from Facebook, but from a company called “易连汇通”, or ElinkTek. This company is known to produce low-end Android tablets based on MTK resolution (1280 x 800).
The UUPay Trojan supports the following actions:
- Connect to remote servers s.fsptogo.com and s.kavgo.com
- Silently download and install apps
- Get Device ID info
- Get browser history
- Get logcat info and upload to a remote website
- Support C&C
There were symptoms to help identify the various spyware and malware:
In almost every variant that the G DATA security experts have analyzed, the app has been poorly programmed and harbours an enormous security risk. Sensitive data are largely sent unencrypted or with a hardcoded key that can be easily decrypted. Thus, even other attackers can steal data or take control of the malware. In addition, none of the examined samples checks in advance whether it exchanges data with the correct server. In this case Man-in-the-middle-attacks could be easily implemented.
Mobile device owners might check their application manager occasionally to help identify if new applications were installed without consent.
We echo G Data’s recommendation that consumers research mobile devices prior to purchasing, and to install mobile security software. Some questions to consider prior to purchasing:
- Does the seller of the mobile device offer support?
- Have there been reports of unexpected behavior with the device?
With regard to the second question, examples of unexpected behavior can include extremely poor performance, a slow user interface, numerous advertisements, or the automatic installation of other apps. A quick Internet search returned results on removing the Trojans manually, which is not recommended for the non-techie.
If you determine that your mobile device has been compromised, there are mainly two choices; contact the manufacturer for assistance on replacing the device ROM (firmware), or abandon using the compromised device.
We also give special thanks to G Data for their helpful contributions.
0xID Labs, and Min (Spark) Zheng & Xun Di of Alibaba Mobile Security Team