Backdoor enters stealth mode after installation, reads and sends SMS

Aug 6, 2014 21:23 GMT  ·  By

The Chinese Valentine’s Day was on August 2 this year and it was the perfect opportunity for cybercriminals to conduct nefarious activities, as they delivered an SMS worm for Android that spread faster than love, affecting a total of 500,000 devices in about six hours.

Security researchers analyzing a sample observed that the malware contained two modules, one for distributing the threat (XXshenqi.apk) and another for performing the malicious activity (Trogoogle.apk).

Propagation is carried out through short text messages, which carry a link to the malicious download, sent to the entire list of contacts, Vigi Zhang from Kaspersky says.

Once landed on the device, the malware, detected as Trojan.AndroidOS.Xshqi.a by Kaspersky products, drops a backdoor that collects user's personal ID and name, sending them to a command and control server.

The backdoor is identified as Backdoor.AndroidOS.Trogle.a by the products of the security company, and it has been crafted to work stealthily on the mobile device by hiding its icon after installation; as such, many users may not be aware of its presence.

Among the commands it can execute if so instructed by the command and control server are reading and sending messages. Zhang notes the malware can also send the text to its owner either by email or by using the short message service.

The attack seems to have been premeditated by the threat actors in order to make the most of the campaign, since users are likely to be less vigilant on special occasions. Also contributing to the success of the campaign is the fact that the malware download is received from a known contact.