A new threat has surfaced targeting users in Korea and Japan, but this attack, unlike others making the news, is not one motivated by political or ideological dogma. Instead, this one is based purely on old-fashioned greed. Vertu phone owners or those looking for a localized Vertu theme in Korean or Japanese for an Android phone had better think twice before downloading something. McAfee Mobile Research has identified a new variant of Android/Smsilence distributed under the guise of a Vertu upgrade/theme that is targeting Japanese and Korean users.
Fake Vertu app in Japanese. (Click on images to enlarge.)
On installation, Android/Smsilence.C attempts to display a loading screen, while in the background registering the device phone number with an external server [XXX.XX.24.134] by sending an HTTP post. The malware then registers an Internet filter on the local device so that any incoming messages are handled first by the Trojan and then forwarded to the same server. The loading screen eventually stops with the message in Japanese or Korean reporting that the service was unavailable and to please try again.
McAfee’s research into the control management system used by this threat has shown that multiple domains (pointing to the same server) were used in addition to multiple guises to spread the threat. Around 20 fake branded apps–from coffee to fast-food chains, including an antivirus product from Korea that was uploaded and revoked from Google Play–were used. Despite a lack of sophistication compared with other mobile botnets, Android/Smsilence was still able to infect between 50,000 to 60,000 mobile users, according to our analysis.
Fake Vertu app in Korean.
The new variant now extends to Japanese victims. Most other threats targeting Japan this year have been minor variations of one-click fraud (also called scareware), which has been around in one form or another since 2004. Devices infected with Android/Smsilence.C are capable of sending back a lot more information, in addition to downloading additional spyware to the infected device.
Because carriers in Japan use the CMAIL protocol for text messaging, attempting to control and maintain a mobile botnet from outside of Japan is not easy (due to the security features implemented by Japanese carriers). We wonder if there was a local accomplice facilitating the spread or control of infected devices. This would also explain the function of a secondary package that is downloaded to an infected device only on demand by the botnet controller, and contains additional spyware functionality not limited to text messaging.
The most bizarre aspect of this new strain remains to be explained, and highlights a limitation in the antimalware research field. Regardless whether we analyze an Android Trojan or a complex threat like Stuxnet, given enough time we can reverse-engineer any piece of code into its basic building blocks. Nonetheless, there are sometimes aspects to a case in which no matter how much time is spent investigating, we have no idea what the malware authors were thinking. In this case we discovered a file inside the malware that changes the package hash; that’s an evasive technique dubbed server-side polymorphism, and attempts to avoid detections by antimalware vendors. But it was not the technique that was confusing, even though this is the first time we have seen this technique used outside of an Eastern European threat family. The chosen file, the key component in the evasion technique, was a picture of London Mayor Boris Johnson.
The malware authors included an image of London Mayor Boris Johnson.
