Sophos Cloud Optix
Thanks to Nagy Ferenc László and Xiaochuan Zhang of SophosLabs for the behind-the-scenes effort they put into this article.
SophosLabs has been following an interesting Android malware story over the past week.
The malware goes by the name XX神器 (XXshenqi) in Chinese, or the Heart App, as it calls itself in English.
In theory, the implication seems to be that you can use the app, which you receive as an SMS invitation from one of your friends, to organise a romantic hook-up.
In practice, however, you and your friends will just end up with SMS headaches.
As in the case of the “Look The Self-time” malware (Andr/SlfMite-A) we wrote about in June 2014, this attack involves a true virus – in other words, malware that deliberately spreads itself.
As we remarked back in June, viruses are rare these days, with most malware distributed in emails generated directly by the cybercrooks, either as attachments or as clickable links, rather than by the malware itself.
Spamming out malware has the advantage that the crooks can quickly target millions of potential victims, all of whom might end up infected in one shot, during the very first wave of the attack.
→ Recent SophosLabs experiments suggest that a commonly-sized botnet of 10,000 computers can deliver more than 50 billion spams per week.
In contrast, a virus that spreads by forwarding itself only to people already in your address book (or on your phone number list, or nearby on your network) will starts small and either build up a head of steam, or fizzle out.
The infamous Ikee iPhone virus of 2009, still the only known iOS virus that has spread in the wild, was, fortunately, one of the fizzlers.
It spread by means of SSH connections only between jailbroken iDevices, which limited its community of potential victims.
In contrast, this new Android virus was a head-of-steamer.
The virus, dubbed Andr/SmsSend-FA by Sophos products, spreads by SMSing a download link to your first 99 contacts.
So, even a few initial infections can quickly generate a large amount of traffic, which is exactly what seems to have happened.
According to a news report out of China, local mobile telephone operators claim to have blocked over 20 million messages already, with “at least 100,000 phones infected.”
How the virus arrives
With Google Play not officially available in China, alternative Android markets have flourished, and, by all accounts, Chinese users are accustomed to running their Android phones with the Allow installation of apps from unknown sources option enabled.
So, if you decide to take a chance on a link from a friend that says, simply…
…then you, and 99 of your friends in turn, are heading for trouble.
What the virus looks like
The virus APK (Android Package) covers its tracks with a cute-looking splash screen that pops up as soon as you run it:
But it has already kicked off its self-spreading in the background, SMSing itself to the first 99 entries of your contact list.
Once it’s done, it “calls home” by sending a confirmation SMS to a control number, presumably one belonging to the malware author.
In the foreground, the app pops up a bogus login screen, by means of which it tries to harvest Personally Identifiable Information (PII):
Obviously, you can’t login until you register, and if you try to do so, you will be asked to provide personal details:
If you do, you’ll be told that registration was successful; in fact, all that happened was that the data you entered was SMSed to the control number.
The secondary component
There’s another trick in the virus, because it asks you to install a secondary component (another malware package that is bundled inside the virus itself).
Controlling the secondary install via malware that is already running means the malware author can make this secondary component trickier to remove later – for example, it doesn’t show up on the regular Apps page.
Here’s how the trick works.
When you launch the virus for the first time, while the phony login screen is displayed, you will see a popup stating that a “resource pack” is needed:
If you agree to install this sub-application, you will end up with an app called com.android.Trogoogle as well as XXshenqi, but the Trogoogle part will not appear on the Apps page.
The Trogoogle app starts up a service called TroListenService (we’re assuming the prefix Tro is a not-so-subtle hint that this is a Trojan Horse) that reads your incoming SMSes.
When it receives a message from the control number, it treats it as a command, making this malware into a bot or zombie:
- readmessage: steals all your SMSes from Inbox and Sent via email.
- sendmessage: sends an SMS from your phone.
- test: sends a test SMS and restarts the malware.
- makemessage: inserts a fake SMS into your Inbox.
- sendlink: steals your list of contacts via email.
Alleged author identified
In an interesting parallel with the Ikee worm case, the alleged author of the “Heart App” malware was quickly tracked down.
In the Ikee case, Naked Security identified the author by following fairly obvious clues in the code, tracing him to Wollongong in New South Wales, Australia.
Because his virus fizzled out, the police decided not to charge him; indeed, his notoriety even landed him a job as a mobile phone developer.
But things aren’t looking so rosy for the “Heart App” author, who was arrested by police in Shenzhen.
He hasn’t yet been named, apparently because the investigation is ongoing, so he’s identified only a “Li,” a 19-year-old software engineering student.
It seems that he went to Shenzhen on his summer vacation to visit friends, got bored, and wrote the malware pretty much to prove his worth as a coder.
But he wasn’t much of a cybercrook, getting busted just 17 hours after his virus was first spotted in the wild.
Removing the “Heart App” virus
Uninstalling the XXshenqi app alone from the Apps screen is not enough:
That will leave behind the SMS and contact stealing TroGoogle component.
Instead, head to Settings | Apps | Downloaded and uninstall both parts of the malware from there.
Tap on each app in turn to bring up its App info page, from which you can use the Uninstall button to dispose of both components:
For further information
Why not:
- Check our Tips to keep crooks out of your mobile device…
- Learn from Ten Years of Mobile Malware…
- Find out how to clean bad apps using Android Safe Mode…
- Try our free Sophos Anti-Virus and Security for Android…
Not too surprising that malware sending its information via SMS would nail the author quickly. If only all malware included the author’s phone number!
Well…we (at least, I) don’t know whether that’s how he was found so quickly.
In some countries SIM cards can only be purchased with some process of registration, but I am not sure how the process goes in PRC, and how strictly it is enforced if there is one.
Even then, crooks surely know how to get hold of hookey SIMs (e.g. fake ID, accomplices in mobile phone shops, theft), so a mobile number is not the same as identification.
And if you were just “having fun”, albeit in criminal fashion, you could put someone else’s mobile number in there and get them into temporary hot water.
But it certainly sounds as though he left some sort of smoking gun to be located and busted so quickly. Assuming the suspect is, indeed, guilty of course.