SMS Trojan Targets South Korean Android Devices

It’s a common misconception that mobile malware is a problem limited to users in a particular geographical region such as China or Eastern Europe. Last week, McAfee Labs mobile research department received a mobile malware sample that targets Android mobile phone users in South Korea. The sample pretends to be a popular coffee shop coupon application, but in fact is an SMS Trojan that posts the incoming SMS messages to the attacker’s website.

If a user clicks the familiar application icon, a pop-up message will display the following information:

This is a fake error message reporting that the server is overloaded and unable to process the request. This, together with the icon used for the application, is simply social engineering to fool the victim into believing the application is legitimate but having problems, in the hope that the victim will just quit the application. This malicious app has nothing to do with the popular coffee vendor you may associate with the bogus icon.

While the message is displayed, the application creates a service to run in the background after the device has been rebooted. This service then sends the victim’s phone number to the following URL to “register” the infection.

  • http://it[deleted].com/Android_SMS/installing.php

The following image shows the application’s ability to gather a phone number and send it to the attacker:

Once the application is installed, it monitors any incoming SMS messages. All of these will be sent, together with the phone number of the sending device, to the following URL:

  • http://it[deleted].com/Android_SMS/receiving.php

Furthermore, the malicious application blocks the incoming SMS message as well as the notification, so the victim will never know of the message’s existence.

The following image shows the application code responsible for the incoming message theft:

This malicious application targets only South Korean Android devices by checking for numbers starting with “+82,” the international code for South Korea, as shown in the following:

All intercepted and stolen SMS messages and the originating phone number are posted to the aforementioned URL using “EUC-KR” character encoding, as shown in the following picture:

McAfee Mobile Security detects this malware as Android/Smsilence.A.