According to a report by AegisLab, Android Market has been hit by another malware incident, with a number of SMS-sending Trojans published by unknown attackers. The incident was not as serious as the one in March when over 50 apps were affected by the Droid Dream malware, although any attack affecting Android Market should be regarded as very serious.
The latest batch of malicious applications are purported to be developed by a legitimate Android developer Zsone. However, it seems that the legitimate applications from the same developer have a version number different than the malicious versions.
When one of the malicious applications is installed on the device, an SMS message will be sent to one of a range of premium rate numbers. The numbers are different depending on the application. The attack targets mobile devices in China since the SMS subscription service numbers used are only available from Chinese mobile network providers.
Sophos has received several applications with the SMS sending functionality, including iCalendar, iMine and iMatch. The malicious versions of the applications I have seen come with the version number 1.1.0.
The most interesting characteristic of the latest set of Trojanized applications is the fact that a special Broadcast receiver is used to inspect all new SMS messages received on the device.
If the application receives an SMS message from the number which was previously used to register the phone for services the Broadcast receiver attempts to abort the broadcast using the AbortBroadcast function. This method could prevent other SMS applications from processing the message.
The obvious intention of the code is to hide the fact that the device is receiving messages from subscription based services and make the user unaware that they have been losing money.
The latest Android incident shows that applications installed directly from the Google market could still be affected by malware.
In an ideal world, Android apps should not be allowed to be self-signed and only allowed keys certified by trusted authorities. Although this measure would not prevent malicious applications it would help with tracing the originators of rogue apps.
Having two classes of applications, signed by certified keys and self-signed, would allow developers of Android OS to limit the capabilities available to self-signed applications. For example, self-signed apps should not be able to send SMS messages. Perhaps this measure would not be a silver bullet but it would certainly be a welcome sign that Google is taking Android security more seriously.
Sophos products are detecting malicious SMS sending Android applications as Andr/AdSMS.