Android/YzhcSms.A!tr

Analysis

Android/YzhcSms.A!tr targets mobile phones running Android. It has been available on the Android Market for some time, and then removed, as a chinese application for the social network, PPXiu.
The malware may still be found on unofficial markets.
In background, the malware connects to several remote web sites, download files from remote web sites, sends SMS and MMS to phone numbers, hides its activity by deleting specific SMS messages.

Technical Details

Once the malware is installed and after a system reboot or pressing the Home button, the malware starts its activity:

• it sends pending MMS if there are some. Those MMS are send by default to the phone number of a Chinese Service Provider.
• it deletes any incoming SMS which carries a body with the word 'Monthly' (in Chinese) and comes from that Service Provider.

Then, regularly, it contacts this remote web site to tell it is alive:

http://[REMOVED]love.cn:8080/Wukong/android/android.dbug.php?action=heart

It also provides as parameter to this URL:

• imei: the phone's IMEI
• mdpsw: password MD5 hash result
• version: hard coded to 101
• channe: hard coded to 101011101
• yeah: set to 1.

The remote website answers in return an XML file with the following tags:

• domreg
• reduce
• mdpassword: password MD5 hash result
• upgrade: 0 if upgrade not needed
• address
• time
• timetype
• widget: this tag describes the various icons the application will display (see Figure 1) and their expected action. The action consists of a URL to contact (possibly downloading a file), and phone numbers to send SMS to, and their text.
  There are several widgets. Example:

  1004,Chinese text,0,http://[REMOVED].51widgets.com/ss/attachments/files/URLshorter.apk,100,2011061022,10086
  



Figure 1. Home screen of PPxiu with different widgets.
The malware also sends SMS messages to a Chinese Service Provider with the body:

YZHC + IMEI + USER VALUE


It posts to remote web sites such as http://[REMOVED]love.cn:8080 various information such as:
• code: the phone's IMEI
• imsi: the victim's IMSI
• cpu: the phone's device model (Build.DEVICE)
• rom: the phone's board (Build.BOARD)
• res: screen resolution, 320X480 by default
• tel: the victim's phone number
• version: hard coded to 101
• channe: presumably a channel identifier. Hard coded to 101011101
It logs on to the PPxiu network with a default account and password (see Figure 2).

Figure 2. Default PPxiu the malware logs on to

Recommended Action

FortiGate Systems

• Check the main screen using the web interface for your FortiGate unit to ensure that the latest AV/NIDS database has been downloaded and installed on your system - if required, enable the "Allow Push Update" option.
  FortiClient Systems
  
• Quarantine/delete files that are detected and replace infected files with clean backup copies.