Android SMS Stealer Hides as Mobile Payments Security App

[Exterminator]

Content source

http://news.softpedia.com/news/android-sms-stealer-hides-as-mobile-payments-security-app-500261.shtml

Users looking to protect their online payments via special security apps may be in for a surprise, finding themselves infected with an SMS-stealing trojan instead, mobile security vendor Zscaler reports.

Most of these infections are occurring in China, via Android applications hosted on third-party stores. The app in question is named AliPay-Security Controls, which is advertised as a security tool to safeguard payments made through AliPay.

AliPay is a third-party online payments platform, activating in 14 countries, supporting 65 financial institutions, and serving over 300 big brands. The company is Chinese, and as with anything Chinese, the platform is a clone of something, and in AliPay's case, a clone of PayPal.

The trojan can survive phone restarts, steal SMS messages
Users who install the AliPay-Security Controls application will first notice a new icon appearing on their phone. Tapping this icon starts the app, which shows a quick introductory screen for three seconds, and then disappears, also whipping its icon from the phone.

What the user doesn't know is that the app secretly started three processes that will allow it to gain boot persistence to survive phone restarts and watch over SMS communications for any incoming messages.

Once a new SMS is detected, the app will make a copy and send it to a remote online server, under the attacker's control. Zscaler reports that this server is currently down.

The fake AliPay app may be a test for bigger things to come
Standalone SMS-stealing trojans are strange because there's not that much they can do. Zscaler suspects that this trojan may be part of a larger cybercrime campaign, alongside other Android hacking tools.

SMS stealers are often used together with other malware families, allowing attackers to intercept two-factor authentication codes and payment verification codes for online banking operations.

Additionally, some SMS stealers work with malware that reads IDs and codes from incoming SMS and sends out other SMS messages as part of affiliate programs that defraud infected users but help hackers make money on the side.

It's not strange for hackers to test the features of a bigger malware family with standalone apps. Judging by the fact that the C&C server is already down, it may be that the fake AliPay app has passed the tests, and we may find it in more dangerous threats, like an Android banking trojan or as Android spyware.

The app's package name is com.bing.receive, and it currently has a very low detection rate on VirusTotal. Since the app does not acquire root privileges, users should have no problem removing it by going to Settings --> Apps and selecting the Uninstall option.