While going through our regular (and never-ending) supply of malicious Android samples, we came across an interesting variant a couple of days back. Like most Android Trojans these days, the piece of malware benefits by sending out SMS messages from the victim's phone, monitoring incoming SMS messages and selectively blocking certain messages.
This particular variant, however, has earned itself a notorious reputation after having infected 500,000 Android users in China.
The Trojan comes in the form of wallpaper application package files (APKs), detected as Android/SMSZombie.A!tr, that contain the malicious package within them, as part of the package assets.
The inner malicious package is misleadingly named a33.jpg, as an image file, but is, in fact, an APK. We detect it as Android/SMSZombie.B!tr.
The package contains some interesting and unique features
It is named 'android.phone.com' which can be confused with com.android.phone which is the legitimate Android phone package and can easily go unnoticed by the untrained eye.
It deletes logs on the phone using 'logcat -c', making analysis of the Trojan a little harder.
Most interestingly, the variant contains a Device Administration Receiver (a receiver that provides device administration features at the system level) that, if activated by the victim, makes uninstallation of the piece of malware particularly tricky. Upon opening the wallpaper application for the first time, the victim is shown a prompt screen as seen in Fig 1 asking to activate a device administrator.
* Clicking on **'Cancel'** merely reloads the page and hence the user is forced to either Activate the receiver or exit the application. * If the user clicks on **'Activate'**, all attempts to uninstall the application or deactivate the Device Administration Receiver fail and redirect the user to the phone's main menu.
This functionality is implemented by the service mService as seen in Fig 2 by looking for certain keywords in the commands handled by the device. Fig 2 : Anti-uninstall functionality implemented in mService
As seen in the screenshot, the piece of malware monitors logs and each time a user tries to
* view/edit the installed application settings * delete the package * view/edit Device Administrator settings OR * run a Chinese Anti-Virus software called Qihoo 360
he/she is redirected to the phone's main menu.
In order to uninstall the application, the victim must first deactivate the Device Administration Receiver, a procedure described in detail in this post by TrustGo. With experience from all the tests I ran on the malware, I can easily say that finding that Deactivation screen is neither obvious nor straightforward.
So finally, be careful what you click on. (Yes, that applies to mobile phones too now!)
Thanks to CryptoGirl and her crimefighting superhero experience for helping with the research on this one.
Update Sept 24, 2012: On recent versions of Android, Android/SMSZombie can be uninstalled by exitting the application (by pressing the 'Home' button) after deactivating the Device Admin Receiver. The code that prevents uninstallation seems to fail on some platforms.