A few months ago, we blogged about an increasing trend of SMSer Trojans disguising themselves as popular browser applications targeting the users of smart phones with support for J2ME. For the past few days, we have been observing a similar trend in the influx of SMSer Trojans posing as browser applications in our sample processing channels. However this time, they are actually targeting Android users.
So, what does it do?
Conceptually, these Android samples have the same functionality of those of J2ME samples; only the implementation language has changed. To make a long story short, the sample disguises itself as popular browser software.
Fig.1: The permissions requested by the "app."
During installation it sends SMS messages in the background that can affect the user's mobile bill. Again, the sample does not do anything out-of-the-box to break into the device to send the SMS without the user's permission. During installation, the user will be clearly prompted that the application needs permission to send an SMS, as illustrated in Fig.1.
Let us see the payload in action, captured in the simulated lab setup. Fig.2 shows the screen while the sample starts its execution. The translation of the screen message is, "Welcome to Setup Opera Mini for Android. To install, click Install."
Fig.2: The user is asked to proceed with the "installation"
During "Installation," the sample sends SMS messages as configured in an XML file packaged with the sample.
Fig.3: Debugging the sample
The execution of the sample is controlled by setting hooks at the appropriate code locations so that we can navigate the state of the Malware sample at different points in time during the execution.
Fig.4 shows the state of information of the Vector object that contains the details of the SMS being sent.
Fig.4: The state information captured during the execution
Once the messages are sent, the user is prompted with a hyperlink to download the intended browser from the legitimate site.
Fig.5: Link to download the original browser
This social engineering trick of disguising itself as legitimate application has proven a successful method for the malware to trick many innocent users in the past. We strongly advise users to exercise critical decision making while evaluating app permissions at time of installation.