A malware for phones and devices running Google’s Android operating system hides in a game app and checks for keywords in incoming SMS messages.
Computer security firm Trend Micro said that the malware hides in a game called “Coin Pirates,” which was hosted in a Chinese app market.
The Trojanized version of the game has since been pulled out of the Android Market, however, Trend Micro said in a blog post.
“Same with most Android malware, this Trojanized application, which Trend Micro detects as ANDROIDOS_PIRATES.A, asks for more permissions than its legitimate version, thus does more routines than the original application,” it said.
“Older SMS-targeting Android malware use the originating number in filtering for certain text messages. This malware checks for keywords inside the body of the messages, resulting to a more targeted approach. In addition, the malware author can update the items in the KeyWords field,” it added.
It noted that similar Android monitoring malware had intercepted messages from premium numbers, to prevent the user from suspecting an infection in their device.
At installation, ANDROIDOS_PIRATES.A registers three receivers: BootReceiver, AlarmReceiver, and SMSReceiver.
BootReceiver and AlarmReceiver start the service MonitorService, which enables the malware to communicate with its malicious server.
SMSReceiver, on the other hand, executes everytime an SMS is received.
Once the receivers are installed, ANDROIDOS_PIRATES.A gets the following information from the affected device and sends them to the malicious server:
An analysis of the code suggested that if the server replies to the device with the string “sendsms,” ANDROIDOS_PIRATES.A will send an SMS message containing the phone’s IMEI and device model to any of the following numbers:
“Note that the aforementioned numbers are not premium numbers.Searching the Internet also shows that these numbers were possibly used by other/older malware,” Trend Micro said.
SMS monitoring and sending
Trend Micro said that this malware connects to its server to download data to populate a database that the malware has installed in the affected device.
In turn, the database contains a table called “blogconfig” which has 4 fields: BlogType, KeyWords, Charging, and IsConfirm.
Other capabilities of this malware include sending of SMS messages to a certain number, as well as adding a bookmark to the device’s browser, with specifics of both the SMS message and the bookmark URL depending on the response from the server.
Removing the malware
Users can check if they are affected by going to SettingsApplicationsRunning Services and check if MonitorService exists.
Infected users can also manually remove the malware from their system by going to SettingsApplicationsManage Applications and then uninstall the malicious app. — TJD, GMA News