14 DAY TRIAL // Chinese hackers are distributing a mobile trojan to users as a repackaged version of the Android Market security update released by Google last week.
Repackaging legit Android apps with trojans is becoming a common propagation method for mobile malware targeting Google's operating system.
The trend began in Russia, where the motivation behind the malicious programs was to steal credit by silently sending text messages to premium rate numbers.
Then it moved to China where more sophisticated Android malware variants were caught performing click fraud or displaying botnet-like capabilities.
The problem reached a global audience when over 50 apps were rigged with a trojan and published on the Android Market under different names.
Google took them down last week shortly after being notified and used the remote uninstall feature to remove the trojan from infected devices.
However, the malware also used a public exploit to root the device before installing itself, so the company also pushed an over-the-air update called "Android Market Security Tool" to undo it.
Security researchers from F-Secure and Symantec now warn that Chinese hackers have ironically repackaged this security tool with a new trojan dubbed Android.Bgserv.
Like most Android malware, Bgserv sends device identification codes (IMEI) to a remote server and can receive commands.
According to Symantec, it can be ordered to send SMS messages to a number specified by attackers which means it can theoretically be used to steal credit.
"Analysis of the application is still ongoing, however, what is shocking is that the threat’s code seems to be based on a project hosted on Google Code and licensed under the Apache License," the Symantec experts write.
The trojanized app is distributed from unregulated market places, which are common in China where there is no official Android Market.
"This malware appears to be specific to a mainland Chinese network, as it contacts the number 10086 (related to China Mobile Net) and uses the new APN with the name 'cmnet' inserted in the APN list," note security researchers from F-Secure.