Android/MarketPay.A was found repacked in legitimate applications available in several Chinese markets. The following permissions are added to the original application: RECEIVE_SMS, SEND_SMS, READ_SMS, WRITE_SMS, CAMERA and WRITE_APN_SETTINGS.
Android/MarketPay.A executes its payload by running four services in the background: Ankboots, Anknets, Ankexcutes and Ankrext. The main service, Ankboots, is started when the user is present (device unlocked), when an SMS is received or every time that the device is turned on. After checking network connection, this service changes the access point name (APN) of the device to CMWAP in order to login the user automatically. Once the APN is changed and verified, Android/MarketPay.A schedule two alarms in the system that executes the component responsible for downloading and storing in local files the configuration required to automatically buy apps from alternative Android markets.
When the first alarm is triggered, Android/MarketPay.A reads the file config.txt stored in the folder assets inside the trojanized application in order to get the Command and Control URL and registers the infected device by sending the device identifiers like telephone number and IMEI. In response the server sends data that is stored in the following local files in the system:
- c.dat: Stores the premium rate numbers used to several Chinese markets, the identifiers and keywords of the apps that the malware will automatically buy and a range of hours where the malicious application could execute the payload.
- sc.dat: Contains an alternative phone number that is sent in the parameter "mo_id" in subsequent registrations in the remote server (only the first request will send the real phone number).
The server can also respond with the word "docode":
In that case, Android/MarketPay.A sends an SMS message to the number provided (docode) by the C&C server with the IMEI of the infected device:
After that, the malicious application starts the service Ankexcutes that will send the text message using the collected information. A similar process occurs when the second alarm is triggered. The only difference is that in this case the request is performed to another URL so other information is sent from the Command and Control server to the device (app link and keywords). Once the data is stored in local files, Android/MarketPay.A starts the service Anknets that reads the recently created file "aurl.dat" which contains the URL of the app that the malware is going to automatically buy and simulates a click action in the background on that link. In case that the URL is not provided, the service Anknets reads the file "u.dat" that contains the root URL and the keywords provided by the C&C server and uses that information to find the link of an app to perform the purchase. After that, Android/MarketPay.A identifies the payment URL and checks if the browser shows a validation image. If that is the case, the malware tries to get the validation answer by sending the image (CAPTCHA) to the remote server "119.147.[Censored].[Censored]:8080/mi/mmide and the obtained response is sent back to the mobile market. Once the validation is complete, Android/MarketPay.A finally downloads the purchased application to the path /sdcard/anksoft/.
The main service Ankboots also registers a new component in the system that will intercept all the received SMS to check if they come from the China Mobile Android Market (10086) or from a targeted Android market. If that is the case, the malware will store the information (verification code) in a local file in the system (re.dat), deletes the SMS message containing the verification code and starts the service Ankrexts that will send a text message to a number provided by the C&C server with the recently captured verification code. If the SMS comes from another source, the malware will cancel the notification, blocks the message and deletes it from the inbox so the user will never know about it.