Santa, aka DarkK3y, brought a new present.
Please read the malware report below. If you have any comments for the author, please email me and I will send him or get him to contact you.
Download. Email me if you need the password.
Sample and Research credit: DarkK3y
DarkK3y / dark_k3y
Trojan.Rus.SMS."SystemSecurity"
=== Summary of the analysis ===
This malware sample was recieved by SMS message with some web link inside. Malware seems to be Toll Fraud malware (according to Lookout Mobile Security classification). Middle-user inter-action required to infect mobile device -- user need to click link and install apk-file downloaded from it. The installation package requires many security permissions to run (see Characteristics section). After installation, "System Service" (com.android.systemsecurity) appears on the device. It loads on boot and make hooks on sms receiver service (with the greatest priority). Also, it uses alarm service to schedule periodic (3 mins and more) runs. Each run (except first) the SMS to the payed service sent. On the first run, information about payed service (SMS number and code) and sms filter (which SMS should be dropped and don't be showed to user) is downloaded from CnC server; OS information, IMEI, IMSI and user contact list is uploaded to CnC server. Possibly, the user contact list phone numbers are used by cnc server for further malware spread, by sending sms'es to them. Currently, malware seems to be undetectable by Norton Mobile Antivirus and some other antimalware mobile tools. It is only detected by heuristic scan methods (possibly, because of requiring too much security priviliges).
