Last week, there was quite a buzz in the mobile-malware researchers community about a new Android malware. It came to light not because of its sophistication or complexity but due to the simple method that it uses to spread.
Most Android malware we have witnessed are repackaged malicious apps made available in black markets or third-party markets. This latest Android malware follows the same repacking path as its precursors. The only difference with this malware is that it uses quick response (QR) code to distribute the malicious link. We have already discussed in a recent blog that QR code can be used by attackers to spread malicious files.
A QR code is a type of matrix barcode to store information. These codes are increasingly found on product labels, billboards, and business cards. Why are QR codes so popular? The amount of data they hold. QR codes can carry 7,089 numeric characters or 4,296 alphanumeric characters and can store up to 2KB of data.
All one needs is a smart phone with a camera and QR reader application to scan these codes. The codes can direct users to websites or online videos, and send text messages and emails.
QR code points to McAfee.com
If you scan the QR code above with any QR code reader using your smart phone, it will redirect you to our site http://www.mcafee.com Attackers use these codes to redirect users to URLs that ask users to download malicious applications.
Malicious QR code
Analyzing the payload
Once users download a malicious application onto their mobile devices, they need to install it. This malicious app is the Trojanized Jimm application, which is a mobile ICQ client. The payload is nothing new, as we have already seen these behaviors in the past with other Android malware such as Android/FakePlayer.A and Android/HippoSMS.A. The latter sends SMS’s to premium numbers.
This malicious application requires the following user permissions:
User permission request by the application
Once installed, the malware sends an SMS to a premium number that charges users. The application has the following icon:
The application icon
We have also seen the JAR version of this application; it targets the J2ME mobile phones and sends SMS’s to premium numbers. When I installed the malicious .jar package in a test environment, it displayed the following message:
Installing the malicious application
It prompted me to select a country and then displayed the next message:
Finally the malware tries to send messages to premium numbers from the infected mobile. Because I was executing this application in a controlled environment, it told me I didn’t have a sufficient balance in my account to send the message. But I did confirm that it tried to send messages, as seen below:
In the recent blog about QR codes by my colleague Jimmy Shah, he suggested how to stay away from such attacks. Our advice has not changed: Use a mobile QR code-/barcode-scanning app that previews URLs, and avoid scanning suspicious codes.
McAfee products detect these malware in our latest DATs as Android/SMS.gen and J2ME/Jifake.a.