Yet another Toll Fraud malware for Android

January 11, 2013

Dell Sonicwall Threats Research Team received reports of a new Toll Fraud Android malware spreading in the wild. Toll Fraud is a process where the victim is billed for service requested by a malicious medium without the victims knowledge. This malware sends SMS messages to premium rate numbers along with device related information to the Command and Control (C&C) servers. This information is used to further spread the malware.
Over the last year there has been a steep rise in Toll Fraud malwares for Android. Recent reports and statistics have shown that such malwares have sapped millions of dollars from victims all over the world. Their primary means of spreading is through malicious apps. The victims are enticed in downloading such apps through links sent in Emails and SMS messages.

The malware requests for the following permissions during installation:

  • Internet
  • Receive_Boot_Completed
  • Read_Phone_State
  • Receive_Sms
  • Read_Contacts
  • Send_Sms
  • Write_External_Storage

Upon installation the malware is visible in the app drawer as follows:

Infection Cycle

If the user clicks on the installed app, it does not appear to do anything. But in the background the app is busy transferring all contacts on the device to the C&C along with vital device related information. The following information was seen being transferred in the first run of the app as a POST query:

  • IMEI
  • IMSI
  • Android Version
  • Contacts

Contacts on the device are sent in a Contacts.xml file. The following screenshot shows contents of the Contacts.xml file:

After the first run the following information is periodically sent to the attacker:

  • IMEI
  • IMSI
  • Time
  • Android Version

The malware expects to receive a file named Connect.php.xml which contains key information sent by the attacker. We found checks in the malwares code for the following elements:

  • Send
    • number - SMS is sent to this number
    • text - Content of the SMS sent
  • Delete
    • number - SMS sent to this number will not be stored in the message archive

Once the malware receives this file, it starts sending SMS to the numbers specified in the file which are usually Premium Rate Numbers.

The malware is capable of accepting commands from the C&C in the form of SMS messages. Commands are of the format ServerKey+Command. The server key can be seen hardcoded in the malware:

We found two commands in the code which are scanned for in every incoming SMS:

  • 001
  • 002

We sent a plain SMS followed by SMS's which had ServerKey+Command format to the malware in our labs. The messages which followed the right format cannot be seen in the inbox nor in the messages database. The message notification for such SMS is disabled using abortBroadcast().

During our analysis we observed the malware connecting to the following link:


We found the following link in the malware code:


The main source of income for this malware is through Toll Fraud. The malware also harvests potential targets from the victims contact list to whom it can spread further by sending SMS containing links to download malicious apps.

Dell SonicWALL Gateway AntiVirus provides protection against this threat with the following signature:

  • GAV: Stealer.F (Trojan)