Video Screencast Help
Security Response

Android.Bgserv Found on Fake Google Security Patch

Created: 09 Mar 2011 22:26:46 GMT • Updated: 23 Jan 2014 18:22:21 GMT • Translations available: 日本語
Mario Ballano's picture
+2 2 Votes
Login to vote

On March 6,2011, Google published the application “Android Market Security Tool”, a tool designed to undo the side effects caused by Android.Rootcager. This application was automatically pushed to devices of users who had downloaded and installed infected applications.

Symantec has identified suspicious code within a repackaged version of the “Android Market Security Tool”. This package was found on an unregulated third-party Chinese marketplace. This threat seems to be able to send SMS messages if instructed by a command-and-control server located at the following address:

hxxp://www.youlubg.com:81/Coop/request3.php

Analysis of the application is still ongoing, however, what is shocking is that the threat’s code seems to be based on a project hosted on Google Code and licensed under the Apache License:

http://code.google.com/p/mmsbg/

Here are a few snippets taken from Google’s hosted project:

We have added detection for the trojanized version of Google’s application as Android.Bgserv.