— Trustlook Research Team
Package name: com.zqb.skater
Chinese name: 我的滑板鞋
The app appears to be a normal game after installation. Users can buy virtual products in the game. However in the background, it will collect information like IMEI, device ID and SMS.
It’s common that apps send premium SMS to a specific company. Users buy virtual products to play game more easily. But this app drops another app to send SMS without user interaction. Then, via aggregator and wireless provider, a message is sent to user to confirm the order. The app can block message and confirm the charge. In this way, user gets charged silently and the malware developer makes money.
- The app registers SMS read, receive and send permissions in AndroidManifest.xml.
It also registered broadcasting of receiving SMS and other intents with the highest priority.
E.g, the SSLaunchReceiver below shows that the app has many privileges including receiving SMS.
- Then the app downloads a new apk which can send SMS and block the broadcast from being propagated. Then the app can receive and intercept the replying SMS.
The apk will be saved at “/storage/emulated/0/Android/data/com.lyhtgh.pay/plugins/”. The name is com.lyhtgh.pay.ltplugin.apk.
The figures below show the logic to send and block SMS.
Receive and Block SMS:
- As shown in the last figure, the app will receive a broadcast of “receive_revert_sms_action_internal” and then send a message to the host app. When this broadcast is received, it handles the SMS which content is stored in a tmp file inside Android.