The Singapore Computer Emergency Response Team, SingCERT published an advisory yesterday about a malicious Android application that spreads via SMS. On installation of the app in a device, it displays a image to the user once, and when user clicks the image or even click back button, the app icon hides itself from the Applications menu forever. However, the malware starts spreading via SMS and remain hidden. The malware sends SMS automatically every 8 minutes to people on the contact list of the victim and also runs ads in every 5 minutes.

The SMS contains short URL luring SMS receivers to click and install the harmless-looking app "PhotoView.apk" - the malware, to see their own photo.

Code Analysis by FirEye Security Firm

"Upon the user closing out the application after opening it, the first thing the malware does is remove the icon from the UI: setComponentEnabledSetting(getComponentName(), PackageManager.COMPONENT_ENABLED_STATE_DISABLED, PackageManager.DONT_KILL_APP); After that, it sets a recurring alert to repeatedly (every five minutes) launch ad libraries, including: StartApp, Admob, Inmobi, MobFox, Millennialmedia, Umeng, Airpush, and more. We extracted all the ad developer IDs (used for the remote ad servers to identify and reward the developer integrating the corresponding ad libraries in the app) that belong to the malware author, as shown below."

After this the firEye researchers said that they found these ad libraries are still alive. This information help ad providers and security vendors to further identify and block malware from the same developer or organization.

Then, the malware checks the internet connectivity. If the internet is present, it tries to load three parameters from the SharedPreference object. If it's launched for the first time (in which case the SharedPreference would be empty), it visits http://www.6868android.com/params.json to find the following three parameters and save them in the SharedPreference object:

?u => URL (URL to be sent in the SMS)

?t =>text (text body to be sent in the SMS)

?n => total (the number of contacts to send SMS to)

Afterwards, it calls a method named lunxun() which means polling in Chinese. If it's the first launch of the malware, it scans the contact list and randomly selects at most n phone numbers (where n is the total field extracted from http://www.6868android.com/params.json). Otherwise it sets an alert to repeatedly wake itself up and send texts and URLs to those randomly selected contacts.

The spamming message follows following syntax:

Is this your photo?

FirEye researchers said,

"The spamming text plays off of contacts sharing and viewing photos of each other, tricking those randomly selected victim contacts to download and install the malware by clicking the URLs above and allowing further spread. Currently the malicious domain hosting the above URLs has been taken down. To avoid detection, the malware's activity remains disabled (keeping the app icon unseen as well) even if the victim reboots the device. However, since the user launched the app once, the Android system allows the recurring alert service to repeatedly wake up the malware's receiver to send SMS and serve ads."

SingCERT advisory recommends following steps to be safe: