Ever since we got wind of a variant of an AdSMS trojan with more aggressive functionalities making the rounds in various online forums, we've been on the lookout for more samples to analyze.
It hasn't been easy — there was a report of "more than 20 Android apps" being identified, but most of them seem to have been pulled out of circulation already. A lot of heavy forum trawling was required, which is a good thing for most users — it's not easy to get this trojan.
Analysis is still ongoing, but here are a few snippets based on the samples we have:
As before, the malware is a trojanized version of a legitimate app. For this sample, it was a paper toss game. For a simple game though, the permissions it requests are suspicious:
An alert user should be suspicious when a game says it needs to send SMS messages and read your personal information.
Once installed, the trojan is designed to prompt the user to "update" the program to a new version, with a "lightning update in 1 second" (?):
Once updated, the device is restarted and the malware is successfully installed under "com.android.battery", though it lists itself as appsms.apk in the application folder.
The trojan contains a known exploit, rageagainstthecage, for gaining root access and will run four malicious classes as services in the background: Adsms.Service, SystemPlus, MainRun and ForAlarm.
Other functionalities appear to be as reported, though we'll be continuing analysis — and hunting for more samples. We will be detecting this as Trojan:AndroidOS/AdSMS.B.