2011 has seen some dramatic changes in the mobile landscape, with the ever-increasing growth rates in consumer adoption of smart phones. This has not gone on without getting the attention of the criminal fraternity, which has turned its attention to mobile malware. But what remains to be seen is if this trend moves beyond the stage of testing the waters to actually making a significant impact, reaching the scales we associate with threats for Windows. If the activities of the past week are any indicator, then 2012 is off to an interesting start. Another scam has come to our attention, this time targeting Android users in France, attempting to exploit the frenzy surrounding Carrier IQ.
From our analysis, Android.Qicsomos is a modified version of an open source project meant to detect Carrier IQ on a device, with additional code to dial a premium SMS number. On installation, the app appears in the device menu with an icon similar to the logo of a major European telecom operator. It is this fact, not to mention we cannot find any trace of this on the Android Market, that leads us to believe that there may be a social engineering vector being used to spread the malware, such as a spam or phishing campaign pretending to be from an official carrier asking the users to download and run the software.
The malicious code goes to work when the user presses the button marked ‘Désinstaller’ from within the app. Once pressed, four SMS messages are sent to 81168—a premium-rate number. The Trojan follows up by executing an uninstall routine to remove the app.
A safe removal method would be uninstalling the app from the setting button in the main menu.
In an additional twist, it appears the apps were signed with a certificate published as part of the Android Open Source Project (AOSP). The signing of an app with a publicly known certificate would allow an installation without having to go through the regular permissions notification screen on devices built with those keys. This shouldn't affect commercial devices used by most consumers (where the keys are kept private by the manufacturer), but might trick certain older, custom mods which reused these published keys.
With all the bold predications being made about the state of the mobile threat landscape in 2012, one can be forgiven for being little skeptical about their significance. But to any skeptics out there, I can assure you some concerns, such as this threat, are not without merit.