Android Wallpaper Trojan Racks Up Charges in China

SMSZombie, an attack on Android smartphones, has infected the devices of an estimated half-million users through risque wallpaper applications.

Seven risque wallpaper apps available through China's largest mobile marketplace, GFan, are actually Trojan horses, infecting Android smartphones by downloading malicious content after the applications are installed, mobile security firm TrustGo warned in a recent analysis.

The malware, which has infected the smartphones of an estimated half million Chinese users, allows the attackers to remotely charge the user through the China Mobile Short Message Service (SMS) Payment system, the firm stated in the Aug. 15 advisory.

The Trojan also disables the user's ability to remove the malicious software by obtaining administrator permissions through an aggressive social engineering tactic, said Jeff Becker, head of marketing for TrustGo.

"Once it asks for the administrator permissions, it is not cancelable," Becker said. "The cancel button is disabled and it just continually pops up these requests for permissions, and eventually the user just grants them to get rid of this dialog box."

The fraudulent application appears to be one of seven legitimate wallpaper downloads from GFan, the largest Chinese mobile app marketplace. The app requests permission to install an additional file, "Android System Service," which is the malicious functionality of the program. Updating the software after installation is a way to bypass the security scanning conducted by many app stores. Security researcher Charlie Miller of Accuvant, for example, used a similar technique to get around Apple's App Store restrictions last year.

Once updated with its malicious functionality and administrator rights, the Trojan horse can be controlled via its configuration file to enable updates by the fraudsters to change the frequency of fraudulent charges and amount of each transaction.

The criminals behind the scheme typically charge small amounts in an attempt to stay unnoticed. The malware can also intercept and send SMS communications, which is particularly useful for banking fraud. Banks often use SMS messages to confirm a suspicious transaction. By intercepting and deleting such messages, the attacker can hide ongoing fraud.

"The user is unaware that any payment has been made or any confirmation issued," says Becker.

Using legitimate applications to hide malware is the most common way for criminals to get malicious code into the mobile app marketplaces, such as Google Play and Apple's App Store. Of the top 100 mobile applications in each store, more than 90 percent have been hacked, pirated or modified by third parties, according to application-security firm Arxan Technologies, which released a report on the trend on Aug. 20.

The hacking of top apps is not necessarily nefarious. The top modifications are disabling or circumventing security, unlocking features, pirating the software, removing ads, and-of course-creating versions to carry malware, the firm stated.

"The integrity of mobile apps can be easily compromised through new tampering (and) reverse-engineering attack vectors," Jukka Alanen, vice president at Arxan, said in a statement. "The traditional approaches to application security such as secure software development practices and vulnerability scanning cannot address the new hacking patterns that we identified."

Traditionally, mobile phones have been considered more secure than their PC counterparts because applications are downloaded from central repositories, where malicious apps can be scanned, discovered and removed. In addition, store operators can remove rogue applications from customers' phones, if they are later found to be malicious.

Robert Lemos

Robert Lemos

Robert Lemos is an award-winning freelance journalist who has covered information security, cybercrime and technology's impact on society for almost two decades. A former research engineer, he's...