Last weekend, it was reported in China that an SMS worm was wildly spreading among Android mobile phones, with more than 500,000 devices infected. The malware spread by sending SMS texts to a phone’s contacts with a message body such as:
XXX看这个,http://cdn.<removed>.com/down/4279139/XXshenqi.com
This malware is much more than just a worm. It is actually a worm plus a Trojan. The Trojan component resides in another install package in the original one.
Once the malware is installed, it checks whether the Trojan is installed. If not, it ask the user to install it.
After installing, the malware sends a text message to a control server phone number, which we believe belongs to the author of this malware, to let him know that a new victim is infected.
The installation then asks the user to input his or her ID and name, which will also be posted to the control number.
The Trojan monitors incoming SMS messages, forwards all incoming SMS messages to the control number, and executes the following commands:
- readmessage: Reads all SMS messages, and send them to the malware author’s mail address
- sendmessage: Sends messages to the number in the message body
- test: Sends a test message to the malware author
- makemessage: Makes a fake message, and inserts it into the inbox
- sendlink: Sends the user’s contact list to the malware author’s email address
With the user’s identity card number, real name, and SMS messages, the malware author is one step closer to stealing the user’s bank account information, hijacking an online trade, or even transferring money. In China, some banks allow customers to access their accounts with an identity card number and password.
We have seen two versions of this sample. The payloads are almost the same, except that the first one has no payload for spreading, no worm function. It appears the author wanted to infect more devices by adding the worm.
McAfee Mobile Security detects both of these threats as Android/XShenqi.A.
According to reports, the author of this malware is a college student who created this malware just to prove he can do something. Seems like a curious way to impress people.