Data-Stealing Android App Impersonates Word Doc

2015-10-30T14:08:00
ID MALICIOUS-ANDROID-APP-IMPERSONATES-MICROSOFT-WORD-DOC/115214
Type threatpost
Reporter Michael Mimoso
Modified 2015-11-06T14:03:02

Description

A new strain of Android malware has taken a decidedly old-school approach to infecting mobile devices.

Researchers at security company Zscaler said they spotted several hundred new infections since Oct. 10, primarily targeting Android users in China. The malware arrives impersonating a Microsoft Word document carrying the familiar “W” logo, but is in reality a malicious Android application package (APK).

Related Posts

TCP Flaw in Linux Extends to 80 Percent of Android Devices

August 15, 2016 , 5:10 pm

How Bugs Lead to a Better Android

August 4, 2016 , 6:05 pm

Joshua Drake on Android Security Post-Stagefright

August 4, 2016 , 11:00 am

Once a device is infected, the malware operates with elevated privileges, steals device identifiers (IMEI and SIM card numbers as well as the device ID), along with personal information belonging to the victim, SMS messages and contact information stored on the phone.

All of this data is emailed or texted to the attackers, Zscaler director of security research Deepen Desai said.

We did not see the initial delivery vector here but the fact that it is using a file name (wendang.apk translates to data file) and it uses Microsoft Office Word icon – the malware author is trying to fool the end user into thinking it is an important document file that the user will be interested in,” Desai said. “Once the user opens up the document file he or she will actually be going through an APK installation process leading to infection.”

Once the malware is installed on the phone, for example, it drops a Word doc icon onto the home screen. The victim taps to open the file, but instead executes the malware, which also delivers an error message to the user and removes the icon from the home screen. The malicious app then executes a number of things in the background, including sending all SMS messages to a number coded into the malware. It also starts an Android service called MyService and two threads (SMSTask and MailTask) that run in the background. The malware is also capable of dialing out to numbers coded into the malware.

“The malware authors have implemented a functionality in the APK file that allows them to send phone numbers to the infected device via SMS,” Desai said. “The malware will intercept such messages and dial the number. The premium number business model appears to be the most likely use case here where the attackers will get paid for the calls made.”

The privacy concerns are alarming, Desai noted. He points out that SMS messages could contain not only personal interactions, but also mobile banking and other verification codes for online services.

“Considering that all the messages on the infected devices were getting sent to the attacker – the attacker may further perform some filtering for the data of interest,” Desai said. “The stolen contact information may be used for further spreading the malware. The stolen credentials and banking related data will most likely be used to perform financial fraud.”

Desai said the campaign was detected Oct. 10 and Zscaler was able to retrieve from the command and control admin panel lists of stolen data sent to the attacker indicating more than 300 victims in less than a month of operations.

“Due to the ubiquitous nature of mobile devices, its no wonder that PC based malware techniques are appearing in mobile domains,” Desai said. “In early Windows malware attacks, attackers would often name the malicious files with eye-catching titles and use common icons to entice victims to open the file. We’re seeing this same practice used for Android based malware.”