Following our initial post on the discovery of Android.Bgserv,
Symantec has found additional Trojanized samples in the wild. After
analysis of these new samples, it appears that the applications contain
multiple bugs. In the case of the Trojanized version of Google’s
Security Tool, we have confirmed after testing (with no surprise) that
it does not have the ability to clean a system infected with Android.Rootcager.
The Trojanized applications also contain code to change an infected device’s APN
settings. The screenshot below belongs to the threat code responsible
for changing them. However, in our research we have not been able to
identify the code being called at any time.
Our research also shows that even if this APN change code was called,
the application's permissions would not allow the requested changes to
take place. This can be seen in the screenshot below, showing the
Trojanized application's manifest:
An application willing to change the APN settings is required to hold the “android.permission.WRITE_APN_SETTING”
permission. We have also found some other pieces of interesting code
within the threat that seem to be dormant. One example of this is seen
in the screenshot below:
The purpose of this code seems to be to block incoming calls from
specific telephone numbers. In this case, the telephone numbers in
question seem to belong to a major Chinese telecom operator's customer
Below is an image showing the command-and-control (C&C) server
that is being used by this threat and an example of the information that
is posted to the C&C server. At the time of writing, the C&C
server was live but not serving commands.
Our overall analysis of this threat has shown it to be a potentially
worrying threat. However, the threat's perpetrators have failed to fully
implement all of the functionality within the infected applications,
thereby lessening its potential impact as a threat.
Here are a few tips that may help to identify whether or not a
device has been infected with Android.Bgserv. The legitimate Android
Security tool was automatically pushed to infected users and did not
require manual download. Also, it does not show up within the
application menu, as opposed to the malicious one:
We can see the malicious service that has been started by the Trojanized tool running in the background as “BgService”:
Finally, to avoid becoming a victim of such malicious Android
applications, we recommend that you only use regulated Android
marketplaces for downloading and installing Android applications. Also,
in the Android OS application settings there is an option to stop the
installation of non-market applications, which can help to prevent
against this type of attack. Checking user comments on the marketplace
can also assist in determining if the application is safe. Lastly,
always check the access permissions being requested during the
installation of any Android applications. If they seem excessive for
what the application is designed to do, it would be wise to stop
installing the application.
Note: Special thanks to Irfan Asrar for all his input into this blog.