Analysis of com.zqb.skater and Dropper/SMS behaviors

 

— Trustlook Research Team

Package name: com.zqb.skater

md5: fbf041055829b571816af52761fcf23c

Chinese name: 我的滑板鞋

 

The app appears to be a normal game after installation. Users can buy virtual products in the game. However in the background, it will collect information like IMEI, device ID and SMS.

Screen Shot 2016-05-24 at 7.10.04 PM

It’s common that apps send premium SMS to a specific company. Users buy virtual products to play game more easily. But this app drops another app to send SMS without user interaction. Then, via aggregator and wireless provider, a message is sent to user to confirm the order. The app can block message and confirm the charge. In this way, user gets charged silently and the malware developer makes money.

Details:

  1. The app registers SMS read, receive and send permissions in AndroidManifest.xml.

  Screen Shot 2016-05-24 at 7.11.16 PM

It also registered broadcasting of receiving SMS and other intents with the highest priority.

Screen Shot 2016-05-24 at 7.13.57 PM

E.g, the SSLaunchReceiver below shows that the app has many privileges including receiving SMS.

Screen Shot 2016-05-24 at 7.16.01 PM

  1.   Then the app downloads a new apk which can send SMS and block the broadcast from being propagated. Then the app can receive and intercept the replying SMS.

Screen Shot 2016-05-24 at 7.17.15 PM

 

 

The apk will be saved at “/storage/emulated/0/Android/data/com.lyhtgh.pay/plugins/”. The name is com.lyhtgh.pay.ltplugin.apk.

The figures below show the logic to send and block SMS.

Send SMS:

Screen Shot 2016-05-24 at 7.18.16 PM

Receive and Block SMS:

Screen Shot 2016-05-24 at 7.19.19 PM

  1. As shown in the last figure, the app will receive a broadcast of “receive_revert_sms_action_internal” and then send a message to the host app.  When this broadcast is received, it handles the SMS which content is stored in a tmp file inside Android.

Screen Shot 2016-05-24 at 7.20.12 PM

 

 

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s