Print 13 comment(s) - last by JimmiG.. on Aug 12 at 3:29 PM

Malware stops its fraud after one run to avoid raising suspicion

Some Android users have found themselves the victim of perhaps the first full-fledged Trojan to hit the system.  Our story on the trojan yesterday drew a great deal of attention, so we decided to dig into this one a bit deeper.

A reader -- Jon Oberheimer -- founder of security startup Scio Security and Ph.D candidate at the University of Michigan, writes us that he obtained the dreaded Android trojan, disassembled it, and posted an analysis in gory detail.

From his results it's readily apparent that the effort is amateurish, but slightly clever.  The program bears a great deal of similarity to the "HelloWorld" tutorial hosted by Google for aspiring developers.  It even prints a string "Hello Android from NetBeans".

When the MoviePlayer activity of the app fires up, it triggers the app's onCreate event.  This event checks an SQLite database with a single table and column to see if a string "was" was previously written.  Here comes the (
sort of) clever part -- on the malware's first run, after accomplishing its ill objectives it writes the string to the database.  That way on subsequent runs, the string is detected and the program merely exits without continuing the attack.  By doing as such, it's able to keep a low profile and its evil actions might escape notice.

Returning to the actions themselves, assuming it's the first time the app has been run, the app tries to broadcast an SMS text message to premium Russian text numbers -- "3353" and "3354" with a numeric message.  Meanwhile it displays to the user Russian text that translates to "Wait, seeking access to video library..."

What's more, as Mr. Oberheimer aptly points out, the premium texts should only go through in Russia.  U.S. users likely won't incur toll charges from the attack.  Of course similar trojans 
could be employed in the U.S. in the near future, so beware.

Also, the user has to physically download, install, and approve the permissions on the app.  This much relies on the Russian tricksters advertising the app as a "media player".  A number of people (in Russia) reportedly 
did fall for this, completing these steps.  The final step is that the users have to open (run) the application.  Again, a number of users apparently fell for this.

Basically the only mistake Google made in this case, in terms of security, was overestimating users' ability to handle their own security policies.  Most Android users are in the U.S. and China (less than 1 percent are in Russia), so fortunately in this case a minimal number of people appear to have been affected by their membership in the security-ignorant masses.

From this information, it's clear that the threat to savvy American users (or international ones) is minimal.  Just be sure not to install strange apps.  And if you suspect that an app may not be what it purports to be, notify Google and your carrier immediately, so you can be refunded in the case of malicious activity.

Android isn't the only platform to be hit by similar schemes.  Owners of jailbroken iPhones have been hit by worms in the past -- some mere pranks, others malicious.

Thanks, Jon for the email about your analysis!

Comments     Threshold

This article is over a month old, voting and posting comments is disabled

RE: Humans are the weakest link
By JimmiG on 8/12/2010 3:29:06 PM , Rating: 2
Yeah, you could create a completely locked down system so instead of "Are you sure?" prompts, you simply remove all dangerous options and settings from view. But the definition of "dangerous" can be pretty broad. Should users even be allowed to modify files they've created? If you give an image editor the power to change user images, you also give it the power to remove or destroy them, for example.

Locking the system down is kind of what Apple are doing with iOS, which is great for some people but a real annoyance to others. At least the complex (in most cases) jailbreaking procedure helps protect dumb users from themselves.

Some (not all) carriers disable the option to install from unknown sources, so if you got your Android phone from a carrier on a contract, the option may not be there.

"We are going to continue to work with them to make sure they understand the reality of the Internet.  A lot of these people don't have Ph.Ds, and they don't have a degree in computer science." -- RIM co-CEO Michael Lazaridis

Latest Headlines
Inspiron Laptops & 2-in-1 PCs
September 25, 2016, 9:00 AM
The Samsung Galaxy S7
September 14, 2016, 6:00 AM
Apple Watch 2 – Coming September 7th
September 3, 2016, 6:30 AM
Apple says “See you on the 7th.”
September 1, 2016, 6:30 AM

Most Popular ArticlesAre you ready for this ? HyperDrive Aircraft
September 24, 2016, 9:29 AM
Leaked – Samsung S8 is a Dream and a Dream 2
September 25, 2016, 8:00 AM
Yahoo Hacked - Change Your Passwords and Security Info ASAP!
September 23, 2016, 5:45 AM
A is for Apples
September 23, 2016, 5:32 AM
Walmart may get "Robot Shopping Carts?"
September 17, 2016, 6:01 AM

Copyright 2016 DailyTech LLC. - RSS Feed | Advertise | About Us | Ethics | FAQ | Terms, Conditions & Privacy Information | Kristopher Kubicki