Malware authors disguise the Trojan in pirated copies of popular legitimate applications such as Go Weather, Travel Sky or EStrongs File Explorer. Those trojanized applications are available on several Chinese websites and 3rd party markets.
It’s no news that the trend in Android malware tends towards malware that separates money from users. As of now, this was mostly implemented in the form of premium SMS and calls. For several days we are monitoring a new type of rip-off, MMarketPay.A.
MMarketPay.A is targeting customers of the world's biggest mobile provider: China Mobile. After the trojanized app is installed on the device, the access point (APN) of the device is changed to CMWAP. As a consequence no login is needed when using China Mobile’s Mobile Market - one of the biggest app stores world-wide. The Trojan is then able to automatically place buy-orders in the market. It has thereby the potential to buy apps that are likewise infected. However he can also buy legitimate applications. When the smartphone receives an SMS for verification it is blocked from the users view and sent directly to a remote server which responds accordingly. If a capture is part of the verification process it also gets forwarded to the remote server for further analysis. As a last step the bought application is downloaded and installed. What kind of apps are downloaded depends on the commands the Trojan contains.
MMarketPay.A is - at the time this article is written - only available through Chinese websites and markets, however it puts poor prospects on display for the future. This attack has the potential to spread widely as it opens a new way to make money with malware. Many European and American companies who operate app stores have simplified login procedures. This might be abused to order apps without proper authorization. The user of the infected phone will only notice it, when he receives the bill. Users need to be much more aware of possible dangers and threats. And shop providers, too.