<<< NEWS FROM THE LAB - Thursday, June 2, 2011 >>> ARCHIVES | SEARCH Quick Snapshot of Trojan:AndroidOS/AdSMS.B Posted by ThreatSolutions @ 09:24 GMT Ever since we got wind of a variant of an AdSMS trojan with more aggressive functionalities making the rounds in various online forums, we've been on the lookout for more samples to analyze.



It hasn't been easy — there was a report of "more than 20 Android apps" being identified, but most of them seem to have been pulled out of circulation already. A lot of heavy forum trawling was required, which is a good thing for most users — it's not easy to get this trojan.



Analysis is still ongoing, but here are a few snippets based on the samples we have:



As before, the malware is a trojanized version of a legitimate app. For this sample, it was a paper toss game. For a simple game though, the permissions it requests are suspicious:







An alert user should be suspicious when a game says it needs to send SMS messages and read your personal information.



Once installed, the trojan is designed to prompt the user to "update" the program to a new version, with a "lightning update in 1 second" (?):







Once updated, the device is restarted and the malware is successfully installed under "com.android.battery", though it lists itself as appsms.apk in the application folder.



The trojan contains a known exploit, rageagainstthecage, for gaining root access and will run four malicious classes as services in the background: Adsms.Service, SystemPlus, MainRun and ForAlarm.







Other functionalities appear to be as reported, though we'll be continuing analysis — and hunting for more samples. We will be detecting this as Trojan:AndroidOS/AdSMS.B.



Threat Solutions post by — Irene









