New Android Malware Targets China Mobile Subscribers

Android-MalwareSecurity has always been a problem in Android due to its open ecosystem. Not only are apps in the Play Store not pre-screened, but users can easily download apps from third-party markets with even less stringent security. While most of us are aware of only a handful of app repositories – like the Amazon AppStore – Chinese users are accustomed to using dozens of them. Now, security firm TrustGo is reporting that several of the popular Chinese app stores have been infected with a malware called Trojan!MMarketPay.A@Android.

The MMarketPay malware is distributed through repackaged versions of popular apps like GoWeather. The Chinese app stores that have been identified to be affected are nDuoa, GFan, AppChina, LIQU, ANFONE, Soft.3g.cn, TalkPhone, 159.com, and AZ4SD. The app targets subscribers of China Mobile, which is the world’s largest mobile phone operator with more than 655 million subscribers. Total number of affected users is estimated to be in excess of 100 million.

Mobile Market is an Android app store offered by China Mobile to its subscribers. Its biggest draw is its mobile payment system. Users can purchase and download any app and video they like, and the amount will simply be added to their monthly bill. The workflow is as follows:

  • Customers login at M-Market website (http://mm.10086.cn/). Not login required, if customer is using CMWAP as Access Point.
  • M-Market will send a verification code to the customer via SMS, if he purchases paid apps or media.
  • Customers receive the verification code and input it in M-Market for verification.
  • Once the verification is completed, the market will download apps automatically. China Mobile will add this order to customers’ phone bill.

The MMarketPay malware bypasses China Mobile’s authentication system by changing the APN to CMWAP and intercepting the SMS. Once installed, it proceeds to order paid apps and purchase premium videos without letting the consumers know. Infected users are extremely likely to rake up huge bills without even being aware.

Android Trojan Malware (NotCompatible)

Android users need to watch out for a trojan called NotCompatible that comes on Android phones as an update file (Update.apk). A user on Reddit called georgiabiker had initially posted about it. On being installed, it is claimed that the malware may use your device as a proxy and gain access to private networks.

If you have the following setting selected on your Android phone, you are susceptible to the risk.

Settings>Applications>Unknown Sources

This setting allows you to download Android apps from unofficial sources. If you visit any infected unofficial sites, it automatically begins downloading an update named com.Security.Update onto your machine. There is no clear record on which sites this file may be found. But Lookout has indicated that it has found the malware on “numerous” websites embedded in an iframe (the part that usually displays advertisments from third parties).

As per Lookout,

“The first time hacked websites are being used to specifically target mobile devices. In this specific attack, if a user visits a compromised website from an Android device, their Web browser will automatically begin downloading an application—this process is commonly referred to as a drive-by download”

You can avoid this malware by staying alert and keeping your antivirus updated. Watch out for automatic downloads of update.apk on your android device.