Android.Bgserv Found on Fake Google Security Patch – Part II

Following our initial post on the discovery of Android.Bgserv, Symantec has found additional Trojanized samples in the wild. After analysis of these new samples, it appears that the applications contain multiple bugs. In the case of the Trojanized version of Google’s Security Tool, we have confirmed after testing (with no surprise) that it does not have the ability to clean a system infected with Android.Rootcager.

The Trojanized applications also contain code to change an infected device’s APN settings. The screenshot below belongs to the threat code responsible for changing them. However, in our research we have not been able to identify the code being called at any time.

Our research also shows that even if this APN change code was called, the application's permissions would not allow the requested changes to take place. This can be seen in the screenshot below, showing the Trojanized application's manifest:  

An application willing to change the APN settings is required to hold the “android.permission.WRITE_APN_SETTING” permission. We have also found some other pieces of interesting code within the threat that seem to be dormant. One example of this is seen in the screenshot below:

The purpose of this code seems to be to block incoming calls from specific telephone numbers. In this case, the telephone numbers in question seem to belong to a major Chinese telecom operator's customer care service.  

Below is an image showing the command-and-control (C&C) server that is being used by this threat and an example of the information that is posted to the C&C server. At the time of writing, the C&C server was live but not serving commands.

Our overall analysis of this threat has shown it to be a potentially worrying threat. However, the threat's perpetrators have failed to fully implement all of the functionality within the infected applications, thereby lessening its potential impact as a threat.    

Here are a few tips that may help to identify whether or not a device has been infected with Android.Bgserv. The legitimate Android Security tool was automatically pushed to infected users and did not require manual download.  Also, it does not show up within the application menu, as opposed to the malicious one:

We can see the malicious service that has been started by the Trojanized tool running in the background as “BgService”:

Finally, to avoid becoming a victim of such malicious Android applications, we recommend that you only use regulated Android marketplaces for downloading and installing Android applications. Also, in the Android OS application settings there is an option to stop the installation of non-market applications, which can help to prevent against this type of attack. Checking user comments on the marketplace can also assist in determining if the application is safe. Lastly, always check the access permissions being requested during the installation of any Android applications. If they seem excessive for what the application is designed to do, it would be wise to stop installing the application.

Note: Special thanks to Irfan Asrar for all his input into this blog.