This week, the AVG Mobilation™ research team found new malware named ‘Crazy vampire’ in China.

The application is malicious modified version of a calendar application in which the developer added malicious code, changed the name, icon, sign, and UI.

The aim of the malware is to target Chinese users and get them to upgrade to the Premium service of the infected application.

 

Appearance of the application:

When the user installs the application they see the following icon:

 

And this is how it looks when opening the application:

 

The calendar application promises to help the user ensure everything is all right.

Another example of the user interface of the application:

Added functionality:
Below you can see the differences between the original legitimate application and the modified malicious application.

On the left you can see the ‘Crazy vampire’. On the right you can see the ‘normal’ calendar:

 

The Author of the malware added two parts of malicious code:
1) DownManager (new service)
2) RegReceiver (new SMS receiver)

 

Permissions:
Below you can see the new permissions added (marked in red) by the Author of the malware:

<uses-permission android:name=”android.permission.GET_TASKS” />
<uses-permission android:name=”android.permission.INTERNET” />
<uses-permission android:name=”android.permission.READ_PHONE_STATE” />
<uses-permission android:name=”android.permission.VIBRATE” />
<uses-permission android:name=”android.permission.READ_LOGS” />
<uses-permission android:name=”android.permission.WRITE_EXTERNAL_STORAGE” />
<uses-permission android:name=”android.permission.ACCESS_COARSE_LOCATION” />
<uses-permission android:name=”android.permission.ACCESS_FINE_LOCATION” />
<uses-permission android:name=”android.permission.ACCESS_NETWORK_STATE” />
<uses-permission android:name=”android.permission.ACCESS_WIFI_STATE” />
<uses-permission android:name=”android.permission.RECEIVE_BOOT_COMPLETED” />
<uses-permission android:name=”android.permission.MANAGE_ACCOUNTS” />
<uses-permission android:name=”android.permission.USE_CREDENTIALS” />
<uses-permission android:name=”android.permission.GET_ACCOUNTS” />
<uses-permission android:name=”android.permission.RESTART_PACKAGES” />
<uses-permission android:name=”android.permission.READ_CONTACTS” />
<uses-permission android:name=”android.permission.READ_SMS” />
<uses-permission android:name=”android.permission.RECEIVE_SMS” />
<uses-permission android:name=”android.permission.SEND_SMS” />
<uses-permission android:name=”android.permission.WRITE_SMS” />
<uses-permission android:name=”android.permission.RECORD_AUDIO” />

Those permissions are needed to add the malicious functionality like sending SMSs to service premium numbers.

This is what the user sees when they install the malicious application:


More technical details of the DownManager:
After the malicious service of the application starts it tries to obtain the user’slocation by GPS and also the network operator.
Here you can see where it tries to match network operators used by the device:


Later in the background it will try to check user location if not succeded by GoogleMapAPI.

Than it will try to connect to C&C server to get command and parse the command detail while parsing a configuration file.

Here is an example taken from the code of the C&C server address:

And details on the checking of the Service Provider number, service code, network operators and region:

And:

It will send SMS message to Service Provider in the background.

More technical details of the RegReceive:
The malware will block returned confirmation SMS from the Service Provider to avoid being detected and

Here we can see where the malware checks the content of the SMS and drops it if it comes from the mobile provider:

 

 

How to remove
AVG Mobilation™ Anti-Virus Free and Pro products provide protection against this threat.
In order for the protection to be activated, update your Android phone with our latest version.
Keep your device safe with AVG Mobilation Anti-Virus Free and Pro products.
Download now from http://www.avgmobilation.com/products.html

How to avoid getting infected:
When installing new apps to your Android device, always look at the permissions an application requests to approve and make sure the list seems appropriate.
In addition, only download apps from application stores, sites and developers that you trust, and always check the application star rating, developer information and user reviews to make sure you know what you are downloading.

 

[nrelate-related]