Video Screencast Help
Symantec to Separate Into Two Focused, Industry-Leading Technology Companies. Learn more.
Security Response

New Android Threat Gives Phone a Root Canal

Created: 02 Mar 2011 11:49:42 GMT • Updated: 23 Jan 2014 18:22:30 GMT • Translations available: 日本語
Joji Hamada's picture
+3 3 Votes
Login to vote

Malicious authors have taken a variety of popular free apps from the official Android market and bundled them with malware capable of rooting the phone, harvesting data, or opening a backdoor. We have been seeing a lot of this as of late—threats like Android.Geimini and Android.Pjapps—where the authors release them on unofficial Android marketplaces.

Apparently some malicious authors where not satisfied just sticking with this routine. We have become aware of a selection of malicious applications following this trend; however, they are available on the official Android Market. The applications in question are popular free apps, bundled with malware, that have then been republished in the official marketplace under different application and publisher names.  According to sources, 50,000 to 200,000 downloads took place within a four-day time frame that the apps were made available. Google has taken action and has removed these apps from the official Android marketplace.

The Android Packages (.apk) include the file "rageagainstthecage", which is a tool commonly used to root the phone. In legitimate circumstances, this file can be used by the owner of the phone to acquire administrative rights on his or her phone. In this case, rooting the phone can allow the malware we call Android.Rootcager to perform more than the usual activities (e.g. taking screenshots) not commonly allowed on Android phones.

Android.Rootcager in particular roots the phone without user consent to perform various activities. DownloadProvidersManager.apk is dropped by the malware to monitor installed applications and download additional packages of code as a background service.  The malware also attempts to record IMEI and IMSI numbers, which are used to identify mobile phones, and upload the data to an external website.

The following is a list of potentially affected apps, so users may want to check if these are installed on their Android phone:

Publisher:
kingmall2010
Apps:

  • 掷骰子 Version 2.4.1
  • 多彩绘画 Version 1.2
  • Advanced App to SD Version 1.0.1
  • Magic Strobe Light Version 1.0.1
  • Advanced Compass Leveler Version 1.1.1
  • Super Stopwatch & Timer Version 4.3
  • Sexy Legs Version 1.0.01
  • Sexy Girls: Japanese Version 1.0
  • Bowling Time Version 1.8
  • 软件强力卸载 Version 4.2
  • Music Box Version 2.5
  • Best password safe Version 1.0.5
  • 墨水坦克Panzer Panic Version 1.0.0
  • 裸奔先生Mr. Runner Version 1.0
  • Hot Sexy Girls Version 1.0
  • Super sex sound Version 1.3
  • 致命绝色美腿 Version 1.0.01
  • Super Bluetooth Transfer Version 2.30.1
  • Advanced File Manager Version 1.1.0
  • Advanced Barcode Scanner Version 1.0.1
  • Task Killer Pro Version 1.0.1

Publisher:
myournet
Apps:

  • Spider Man Version 1.29
  • 蜘蛛侠 Version 1.29
  • Funny Paint Version 1.2
  • Dice Roller Version 2.4.1
  • 躲避弹球 Version 2.0.9
  • Falling Ball Dodge Version 2.0.9
  • Photo Editor Version 3.1.1
  • Chess Version 2.6.1
  • APP Uninstaller Version 1.6.0
  • 几何战机_PewPew Version 1.5.3
  • 下坠滚球_Falldown Version 1.0
  • Falling Down Version 1.0
  • Screaming Sexy Japanese Girls Version 1.0
  • Hot Sexy Videos Version 0.1.10
  • Super History Eraser Version 1.0.1
  • Super Ringtone Maker Version 1.0.1
  • Hilton Sex Sound Version 2.1.1
  • Scientific Calculator Version 1.4.2
  • Super Guitar Solo Version 1.0.1
  • Super Sex Positions Version 1.0
  • Advanced Currency Converter Version 1.0.1

Publisher:
we20090202
Apps:

  • Basketball Shot Now Version 1.4.0
  • Omok - Five in a Row Version 3.1.1
  • Super Sexy Ringtones Version 3.1.4
  • 手指赛跑 Finger Race Version 1.4.5
  • Magic Hypnotic Spiral Version 2.0.0
  • Quick Notes Version 2.1.1
  • 投篮高手 Version 1.4.0
  • Quick Delete Contacts Version 1.0
  • Advanced Sound Manager Version 2.0.0
  • Color Blindness Test Version 2.1.1

If users feel that they may have installed one of these apps, they should also check com.android.providers.downloadsmanager (DownloadManageService) in the “running services“ settings of the phone, as shown in the screenshot below.

Thanks goes out to Justin Case at Android Police and my colleague Irfan Asrar for their assistance.