Android/MMarketPay.A!tr

Analysis

Android/MMarkeyPay.A!tr is a piece of malware targetting Android mobile phones.
The malicious package comes disguised as a Weather application.
In reality, the application has background routines that simulate clicks on payment links of a well known chinese payment website. These purchases are then automatically confirmed by a CAPTCHA image solver.
It also has the ability to click on links with certain keywords such as "Download", "Video" etc. This might result in other applications being downloaded on the infected phone.
It also selectively hides incoming SMS and can send out SMS messages depending upon specifications in a configuration file.


Details
The main application is called "Weather"(ref Fig1) and comes in the package "com.mediawoz.gotq".
The malicious part of the code is contained in a part of the package name "com.anksoft"

Fig1 : Weather application icon
The malicious part of the application is automatically started when the phone is switched on.
When launched, it changes the Network APN value i.e. replace "net" with "wap" in the name. This is relevant in the case of Chinese networks to change the APN from "cmnet" to "cmwap".
Then, the application sends an HTTP request to the URL

hxxp://a.10086.cn/pams2/s/s.do?p=72

On that page, the malware automatically sets the phone model field on the page so the server returns applications compatible with the infected phone. Consequently, the page only contains links for applications that can be downloaded on the victim's phone.
The malware then looks for clickable links on the page and follows those links.
Then, it looks for the string

hxxp://a.10086.cn/pams2/validateProgramServlet

that corresponds to the CAPTCHA image that the user needs to solve in order to confirm purchase.
This image is sent to the server

http://XXX.XXX.XX.195:8080/mi/mmide

where it is probably solved.
Depending upon the result received, it is then submitted on the original page and the "Submit" button clicked
The application is then provided with the download click which is clicked to download the corresponding application on the victim's phone.
The malware also has an activity that clicks on links containing the keywords "Download", "Video", "Watching", "Broadcast" and "Appreciation" which could result in the download of further applications.
In addition, the malware spies on incoming SMS messages on the victim's phone.
If the SMS received comes from 10086 (number for China Mobile), it is hidden from the end-user. This could be useful to hide warnings from the telecom provider about misuse of the victim's phone.
Additionally, it also has the ability to send out SMS messages from the victim's phone using data present in certain configuration files
Permissions required by the application:

• INTERNET
• VIBRATE
• MOUNT_UNMOUNT_FILESYSTEMS
• WRITE_EXTERNAL_STORAGE
• ACCESS_NETWORK_STATE
• CHANGE_NETWORK_STATE
• READ_PHONE_STATE
• ACCESS_COARSE_LOCATION
• ACCESS_FINE_LOCATION
• ACCESS_MOCK_LOCATION
• ACCESS_WIFI_STATE
• READ_LOGS
• RECEIVE_BOOT_COMPLETED
• GET_TASKS
• RECEIVE_SMS
• SEND_SMS
• READ_SMS
• WRITE_SMS
• CAMERA
• WRITE_APN_SETTINGS

Aimed at Chinese users
Certificate information:

• Owner: CN=jtwang, OU=guopai, O=guopai, L=xiamen, ST=fujian, C=cn
• Issuer: CN=jtwang, OU=guopai, O=guopai, L=xiamen, ST=fujian, C=cn
• Serial number: 4e1e5611
• Valid from: Thu Jul 14 04:36:01 CEST 2011 until: Mon Jul 07 04:36:01 CEST 2036

Recommended Action

FortiGate Systems

• Check the main screen using the web interface for your FortiGate unit to ensure that the latest AV/NIDS database has been downloaded and installed on your system - if required, enable the "Allow Push Update" option.
  FortiClient Systems
  
• Quarantine/delete files that are detected and replace infected files with clean backup copies.