Android malware programmed to send massive amounts of messages

August 13, 2015

DellSonicWALL Threats Research team received reports of an Android trojan that sends a large number of messages once it infects the victims mobile device. Regardless of the number of reports and incidents happening daily about malware in the Android ecosystem there are security measures in place that help in minimizing the damage that can be caused by such malicious entities. A useful security feature built-in Android shines in this case as it thwarts this trojan from executing as desired by the malware writers.

Infection Cycle

During installation the trojan requests just a single permission:

  • SEND_SMS

Based on the permission it is easy to judge that this malicious apk might try to send SMS from the mobile device it infects. The code for this app easily verifies this suspicion:

Once the user clicks the app post installation, we get the following screen:

Even if the user clicks the “Begin” button without providing any required codes the app tries to send 9000 messages to a specific hardcoded number 138[Removed]. But it is stopped in its tracks by an Android security feature that brings a popup:

Google has a security feature that is in place just for apps like this that might try to misuse SMS for monetary gains. If an app tries to send more than 30 messages within 30 minutes then the user sees a popup message that warns him about this activity. He can choose to ‘allow’ or ‘deny’ the app from doing so further. The malicious app that we analyzed mentions that it will send text messages and the user will be prompted with a popup and when that happens click “Always Allow”. So the app is aware about the security feature that might stop it from sending a flood of messages but it gives a false sense of security to the user by telling him that “it’s okay, just allow this behavior”.

User reaction has been mixed about this feature, some like it considering it to be a good security feature that prevents SMS related trojans from spiking up the users monthly usage bill. But for some this can be inconvenient as they see the popup while using SMS in a legitimate way. While there is no direct way to change the imposed limit, for rooted phones there are multiple solutions available that range from custom apps to multiple DIY techniques on popular Android forums.

There is no doubt in the fact that its always good to have security measures in place to thwart unforeseen threats, how these measures affect usability is a matter of opinion. But its just a bit more assuring to know that there is a safety net for times when things go wrong.

Dell SonicWALL provides protection against this threat via the following signatures:

  • GAV: AndroidOS.SMSSend.NTH (Trojan)
  • GAV: AndroidOS.SMSSend.NTH_2 (Trojan)

APK Details:

  • Package Name: com.mycompany.mtgyapp
  • MD5: 0302304134196d54d675760e620bd035