In association with heise online

09 July 2012, 15:26

Chinese Android trojan buys applications

  • Twitter
  • Facebook
  • submit to slashdot
  • StumbleUpon
  • submit to reddit

Android icon

Mobile security company TrustGo has detailed the discovery of a new type of Android malware which operates in China. The trojan – which the company has dubbed MMarketPay.A – is being distributed in nine different third party app stores. When installed on a phone, the trojan is able to buy applications from China Mobile's own marketplace; these purchases then get billed to the victim.

According to TrustGo, the malware has already infected "more than 100,000 devices". The trojan targets China Mobile's Mobile Market distribution platform. China Mobile is one of the largest mobile phone carriers worldwide, with approximately 677 million subscribers. Customers on the China Mobile network can visit the market's web site and are able to purchase applications and content without having to log in. The phone is then authenticated based on the fact that it uses a China Mobile Access Point Name (APN). When users purchase an application, they receive a text message with a verification code that will then have to be entered on the web site to finalise the purchase.

Once downloaded to a victim's phone, MMarketPay.A changes the APN to the China Mobile one if the phone is not already using this network and then visits the market web site behind the scenes. It purchases applications by simulating clicks in the phone's browser – these actions are not noticeable to the user. Next, the malware intercepts the verification SMS and enters the code on the market web site. With the purchase completed, the victim will be charged by China Mobile.

Since the affected phones have to be on the China Mobile network and since all the stores that are currently distributing the malware are in China, it is unlikely that users outside this geographical region will be affected by the trojan. In any case, Mobile Market's approximately 149 million users make it a sufficiently desirable target.


Print Version | Send by email | Permalink:

  • July's Community Calendar

The H Open

The H Security

The H Developer

The H Internet Toolkit