Targeted Attacks the Next Step in Mobile Malware

The Android threat landscape continues to evolve in 2013. To distribute Android threats, malware authors are transitioning away from attacking traditional vectors like the Google Play Market and third-party Android markets to vectors like spam and phishing emails and SMS.

Recently a new information-stealing Android malware was found being distributed as an attachment in emails as part of a targeted attack against Uyghur, Mongolian, Tibetan, and Chinese activists. The social-engineering attack was carried out through email consisting of an invitation to the “World Uyghur Congress” (WUC) and an attachment pretending to be a letter on behalf of WUC, the Unrepresented Nations and Peoples Organization, and the Society for Threatened Peoples. In reality the file was the Android application “WUC’s Conference.” After downloading, the application asks for the following suspicious permissions:

20130328_Castillo_Conference_Permissions

Once the permissions were accepted and the application was installed on the device, the malware shows the following text related to the fake conference in Geneva:

20130328_Castillo_Text1

At the same time, a service starts in the background without the user’s consent:

20130328_Castillo_Service

The service registers the infected device at the malware’s control server to start collecting the following sensitive information:

  • Phone contacts (name and phone number)
  • Call records (number, name, date, and duration)
  • SIM contacts (name and phone number)
  • SMS messages (address, body, and date)
  • Geo-location (longitude and latitude)
  • Device information (phone model, SDK version, OS version, and version release)

This information is later encoded and sent to the control server:

20130328_Castillo_InfoSent
The malware also registers a receiver in the system that permanently checks incoming SMS messages for one of the following commands: SMS, contact, location, or other (call records) in order to resend the requested information. Another variant with the same payload was found stored on the control server with the name “Document.apk,” but this time the malware shows text in Chinese that talks about disputed islands between China and Japan:

20130328_Castillo_Text2

McAfee Mobile Security detects both variants of this threat as Android/Chuli.A and alerts mobile users if it is present on their devices, while protecting them from any data loss. Click here for more information about McAfee Mobile Security.