English
The Internet threat alert status is currently normal. At present, no major epidemics or other serious incidents have been recorded by Kaspersky Lab’s monitoring service. Internet threat level: 1

Foncy is dead. Long live Mania

Denis
Kaspersky Lab Expert
Posted May 29, 08:32  GMT
Tags: Mobile Malware, Google Android
0.5
 

The story of the Foncy SMS Trojan started during the fall of 2011. This piece of malware was one of the first SMS Trojans targeting users outside Russia and China. Potential victims were from various countries in Europe, North America and Africa. In the middle of January 2012 Foncy was updated: it started to spread together with an IRC bot and a root exploit. But the end of the Foncy story was very close because in February two suspected authors of this malware were arrested in Paris: you can read the story here in French and here in English. Since then we haven’t found any new modifications of this piece of malware.

So, Foncy is dead. And what is Mania? Mania is an SMS Trojan which currently only targets users of Android from France and its code is very similar to the code of the Foncy malware. The first sample of Mania (Trojan-SMS.AndroidOS.Mania) was found approximately at the same time when the Foncy IRC bot was discovered (during the first half of January). After that new variants of Mania appeared in February, March, April and May.

We haven’t found any traces of Mania on Android Market Google Play. It seems that it is spread via file sharing web sites as popular legitimate applications such as PhoneLocator Pro, BlackList Pro, Enhanced SMS and Caller ID, CoPilot Live Europe, Settings Profiles Full, Advanced Call Blocker and Kaspersky Mobile Security.

If a user launches one of these applications it will immediately try to send seven SMS messages to the French premium rate number 84242. The text of the message differs from variant to variant, but all in all there are three of them: MANIA, TEL and QUIZ.

The Mania malware will also emulate ‘license checking’ (in French or English), pretending to be a legitimate application:

With the help of the postDelayed method in the Handler public class, the malware will show a ‘license check failure’ after 90 seconds:

All malicious actions above are contained in the {application name}Acitivity.class file. But there is also a Machine.class file which contains functionality that is absolutely the same as it was in the SMSReceiver.class file in the Foncy Trojan: sending an SMS message to a French cell phone number with the text taken from a reply from the premium rate number 84242. We were able to find four different cell phone numbers (+336********).

The Mania Trojan is definitely related to Foncy. It is possible that it was created by the same authors. But they must have sold (or given) the code to other cybercriminal(s) because according to our data, Trojan-SMS.AndroidOS.Mania is still active.

Here’s the list of known malicious MD5s:

  • 039be4f296612be92a2f8592478459af
  • 15049a1be88207e9a97f6b2c9fe3519e
  • 17e1d38aecbaf139741ad9d714abc902
  • 7b18e639ff099a3f0f30200894f248ad
  • d15ac5dadbdc862f4e9f5ce2875ba91e
  • d76fff3bbf20445b9a2615585db4cceb
  • e9c426d0d8525e3e7f07edc12c0a0397
  • 8855f44ab53724cf212894a5dbe7e004

Comments

If you would like to comment on this article you must first
login


Bookmark and Share
Share

Analysis

Blog