Android package file
The Trojan may arrive as a package with the following characteristics:
When the Trojan is being installed, it requests permissions to perform the following actions:
- Check the phone's current state
- Start once the device has finished booting
- Monitor incoming SMS messages
Once installed, the application will display an icon of a white shopping bag with a blue and red triangle.
The Trojan requests device administrator activation. If the request is granted, the Trojan cannot be uninstalled using the application manager.
Once executed, the Trojan checks the compromised device for Korean banking applications with the following package names:
The Trojan then deletes and replaces any of the above applications it finds with malicious versions with identical package names. The malicious applications allow an attacker to steal the following information from the compromised device:
- Banking details
- SMS messages
- Phone number
The above information is then sent to the following remote location:
The malicious applications are detected as Android.SMSblocker
Symantec Security Response encourages all users and administrators to adhere to the following basic security "best practices":