ViRobot/HAURI

モバイル セキュリティ
Android/Spyware.Adsms.a
種類
Spyware
危険度/拡散度
/
発見日
[korea] 2011-05-12 [Foreign] 0000-00-00
Virobot対応
2011-05-12 [Able to detect & repair]

1. Summary
 

The malicious code targets to China Mobile users. This Adsms malicious code spreads out through a certain link in SMS and it infects devices by inducing users to install fake patch update.

2. File Information

 

File Name

htc.apk

MD5

eb067699a01dc477c359a95c1cdc3466

File Size

88,643 byte

3. Authority Information

android.permission.READ_SMS

android.permission.WRITE_SMS

android.permission.SEND_SMS

android.permission.RECEIVE_SMS

android.permission.RECEIVE_BOOT_COMPLETED

android.permission.ACCESS_NETWORK_STATE

android.permission.BROADCAST_PACKAGE_REMOVED

android.permission.BROADCAST_PACKAGE_ADDED

android.permission.ACCESS_WIFI_STATE

android.permission.CHANGE_WIFI_STATE

android.permission.WAKE_LOCK

android.permission.INTERNET

android.permission.WRITE_EXTERNAL_STORAGE

android.permission.READ_PHONE_STATE

android.permission.WAKE_LOCK

android.permission.DEVICE_POWER

android.permission.WRITE_APN_SETTINGS

 

 

4. Analysis

 

The following image shows the SMS that is used for distributing Adsms malicious code.
 

 

<A SMS that has malicious link>


Even if the malicious code is installed to device, the shortcut icon is not created in main screen, so for users, it is hard to notify if their device is infected or not.

 

 

<App information>


Adsms malicious code creates "v1.log" and "smsConfig.xml" files into SD card's Tencent folder.


<File information that is created in SD card>


The created smsConfig.xml file is downloaded from C&C server, and it has infected smartphone's IMEI information and premium rate number such as 1062, 1065, 1066. Also, it contains China Mobile's service number-10086- information in tags.

 

<Network packet information>


The following image shows the created v1.log file in SD card.

 

<v1.log file information>

 

 

 

Through the following codes, it is available to check a routine which creates URL to request config file to C&C server.
 

 

<URL routine>


Adsms malicious code collects IMEI number, Phone model, SDK version information through the following routine.

 

 

<Code for collecting information>

[How to repair]


It is available to repair by the latest engine of ViRobot Mobile for Android.