Before we get to thinking that nothing is new under the Android malware sun, we get a small, but quite interesting surprise. An android malware that connects to SMTP servers to send an e-mail.
Other than the SMTP-usage, the malware is pretty vanilla. Upon installation, the application asks the user to activate device administrator to stay persistent in the mobile device. This threat does not add any significant icons in the application menu, rather the user would need to check the Application Manager before finding out that there is an app masquerading as "Google Service".
After installation, the application will collect sensitive user information such as phone number, incoming and outgoing SMS, and recorded audio to an email address. Then it makes use of SMTP servers, particularly smtp.gmail.com, smtp.163.com and smtp.126.com to send the stolen data. I smell something very China-ish here…
Below is a screenshot of the threat's attempt to connect to an SMTP server:
This threat was found to be usually downloaded in third party Android markets or malicious websites. We first saw this malware family a month ago, but has been active since. We're already detecting this threat as Trojan:Android/SMSAgent.C.