While spreading Malwares through Emails is becoming common rapidly, this app seems to infect your mobile through SMS. yes You heard it right ! The App named “Heart App” (in English), originally named “ XX?? (XXshenqi) in Chinese, was created by a 19-year old Chinese software engineering student teen identified as “Li” to show off his coding skills before his friends and also for getting bored during his summer vacation in Shenzhen.

In theory, the implication seems to be that you can use the app, which you receive as an SMS invitation from one of your friends, to organise a romantic hook-up.





In practice, however, you and your friends will just end up with SMS headaches.





Viruses are rare these days, with most malware distributed in emails generated directly by the cybercrooks, either as attachments or as clickable links, rather than by the malware itself.





Spamming out malware has the advantage that the crooks can quickly target millions of potential victims, all of whom might end up infected in one shot, during the very first wave of the attack.





In contrast, a virus that spreads by forwarding itself only to people already in your address book (or on your phone number list, or nearby on your network) will starts small and either build up a head of steam, or fizzle out. some how it takes only first 99 contacts from the victims phone contacts and senf them a SMS carrying a message to download the App. As you can see, by this method thousands of phones can be infected and the number of blocked messages, over 20Million, by the Local Operator shows us the same thing. They also claimed that as least 100,000 phones have been affected.

How the virus arrives

With Google Play not officially available in China, alternative Android markets have flourished, and, by all accounts, Chinese users are accustomed to running their Android phones with the Allow installation of apps from unknown sources option enabled.





So, if you decide to take a chance on a link from a friend that says, simply…

…then you, and 99 of your friends in turn, are heading for trouble.





What the virus looks like

The virus APK (Android Package) covers its tracks with a cute-looking splash screen that pops up as soon as you run it:

But it has already kicked off its self-spreading in the background, SMSing itself to the first 99 entries of your contact list. Once it’s done, it “calls home” by sending a confirmation SMS to a control number, presumably one belonging to the malware author. In the foreground, the app pops up a bogus login screen, by means of which it tries to harvest Personally Identifiable Information (PII):

Obviously, you can’t login until you register, and if you try to do so, you will be asked to provide personal details:

in Share

If you do, you’ll be told that registration was successful; in fact, all that happened was that the data you entered was SMSed to the control number.





The secondary component



There’s another trick in the virus, because it asks you to install a secondary component (another malware package that is bundled inside the virus itself).

Controlling the secondary install via malware that is already running means the malware author can make this secondary component trickier to remove later – for example, it doesn’t show up on the regular Apps page.

Here’s how the trick works.

When you launch the virus for the first time, while the phony login screen is displayed, you will see a popup stating that a “resource pack” is needed:

If you agree to install this sub-application, you will end up with an app called com.android.Trogoogle as well as XXshenqi , but the Trogoogle part will not appear on the Apps page. The Trogoogle app starts up a service called TroListenService (we’re assuming the prefix Tro is a not-so-subtle hint that this is a Trojan Horse) that reads your incoming SMSes.

Removing the “Heart App” virus

Uninstalling the XXshenqi app alone from the Apps screen is not enough:

That will leave behind the SMS and contact stealing TroGoogle component. Instead, head to Settings | Apps | Downloaded and uninstall both parts of the malware from there.