Virus Characteristics
Android/SMSzombie.A is a component embedded (assets/a33.jpg) in another malicious application that was found on Chinese alternative markets. Android/SMSzombie.A requires the following permissions prior its installation:
- android.permission.BIND_DEVICE_ADMIN
- android.permission.RECEIVE_BOOT_COMPLETED
- android.permission.RECEIVE_SMS
- android.permission.SEND_SMS
- android.permission.READ_SMS
- android.permission.WRITE_SMS
- android.permission.INTERNET
- android.permission.ACCESS_NETWORK_STATE
- android.permission.READ_PHONE_STATE
- android.permission.ACCESS_WIFI_STATE
- android.permission.READ_LOGS
- android.permission.KILL_BACKGROUND_PROCESSES
- android.permission.RESTART_PACKAGES
- android.permission.GET_TASKS
Once Android/SMSzombie.A is installed, a malicious service running in the background (android.phone.com) is started when the boot process has finished (device started or rebooted) or when the application receives a custom intent that is broadcasted by the original dropper.
This service starts a way to force the victim to activate the malware as device administrator because the Cancel button does not have action.
The result of this action is that the user is not able to uninstall the malicious application by using the Application Manager. On the other hand Android/SMSzombie.A has a service that hides the Device Administration setup so the victim cannot deactivate this option.
Android/SMSzombie.A intercepts and forward SMS messages to the number 130xxxxxxxx.
Finally Android/SMSzombie.A detects specifics commands in received SMS messages in order to sends certain SMS messages to premium rate numbers.