Threat Descriptions

Trojan:Android/AutoSPSubscribe.A

Classification

Category :

Malware

Type :

Trojan

Platform :

Android

Aliases :

AutoSPSubscribe, SPPush

Summary

Trojan:Android/AutoSPSubscribe.A is a malicious app that targets Android users in China, and is distributed through unofficial markets. It takes advantage of the SMS-based subscription system that is commonly implemented in China to sign-up the user for certain services without the user's knowledge or consent.

Removal

Once the scan is complete, the F-Secure security product will ask if you want to uninstall the file, move it to the quarantine or keep it installed on your device.

Trojan:Android/AutoSPSubscribe.A can be uninstalled with the following steps:

  1. Go to Settings
  2. Go to Applications
  3. Go to Manage Applications
  4. Select the application
  5. Press "Clear Data"
  6. Press "Uninstall"
  7. Press "OK" when asked for confirmation and wait

A False Positive is when a file is incorrectly detected as harmful, usually because its code or behavior resembles known harmful programs. A False Positive will usually be fixed in a subsequent database update without any action needed on your part. If you wish, you may also:

  • Check for the latest database updates

    First check if your F-Secure security program is using the latest updates, then try scanning the file again.

  • Submit a sample

    After checking, if you still believe the file is incorrectly detected, you can submit a sample of it for re-analysis.

    Note: If the file was moved to quarantine, you need to collect the file from quarantine before you can submit it.

  • Exclude a file from further scanning

    If you are certain that the file is safe and want to continue using it, you can exclude it from further scanning by the F-Secure security product.

    Note: You need administrative rights to change the settings.

Technical Details

This trojan sends SMS to service provider to quietly register the user for a service, which brings about unsolicited charges on the user's account.

Installation

Upon installation, the trojan requests the following permissions:

  • restart packages
  • write to external storage
  • read contacts
  • receive SMS
  • read SMS
  • write SMS
  • send SMS
  • read the phone state
  • access the network state
  • access to internet

Activity

Trojan:Android/AutoSPSubscribe.A monitors incoming messages and intercepts those that originate from the service provider and carry order information containing details and charges for a value-added service. It then automatically replies to the provider with the value "Y", which indicates user confirmation to subscribe to the service.

NOTE: By policy, service providers must receive confirmation from the user before being able to proceed with the billing.

The message that notifies user about the service and its charge

Further messages from the provider to user to notify about the subscription confirmation will be automatically deleted by the trojan, which leaves the user unaware of the charges placed on the user account.

Additional details

This trojan was discovered by researchers at the North Carolina State University. For additional information, see: