Blog

MMarketPay.A, New Android Malware Found in the Wild

By TrustGo Security Labs On July 6, 2012 In Malware, Security


SUMMARY

 

On the 4th of July 2012, we uncovered a new malware that can download paid apps and contents from China Mobile’s Mobile Market. It placed orders automatically on behalf of users and could cause unexpected high phone bills. TrustGo Security Labs named it as: Trojan!MMarketPay.A@Android.

MMarketPay.A may arrive as repackaged applications with the following package names:

  • com.mediawoz.goweather
  • com.mediawoz.gotq
  • com.mediawoz.gotq1
  • cn.itkt.travelskygo
  • cn.itkt.travelsky
  • com.funinhand.weibo
  • sina.mobile.tianqitong
  • com.estrongs.android.pop

This virus is already found in following 9 China markets. More than 100,000 devices have been infected.

HOW IT WORKS

 

Mobile Market (http://mm.10086.cn/) is an Android Market hosted by China Mobile, one of the largest wireless providers on the planet. It hosts both free and paid applications and multimedia contents. Its payment workflow for paid application is as following:

  1. Customers login at M-Market website (http://mm.10086.cn/). No login required if customer use If you are using CMWAP as Access Point.
  2. M-Market will send a verification code to you via SMS if customer purchased paid apps or contents.
  3. Customers receive the verification code and input it to M-Market for verification
  4. Once the verification completed, the market will download apps automatically. China Mobile will add this order in customers’ phone bill.

MMarketPay.A can place orders via M-Market payment system automatically:

  1. Change the APN to CMWAP, so that it can login MMarket automatically.
  2. Find paid application and simulate the click action in background.
  3. Intercept the received SMS messages and collect verification code sent by M-Market.
  4. If CAPTCHA image is invoked, it will post the image to remote server for analyzing the verification code.
  5. Post the verification code to M-Market website.
  6. Download the application and customers get charged.

Following screenshot of malicious code shows the whole auto payment process. 

Besides paid apps, M-Market also offers paid video contents. MMarketPay.A can also search, play and pay for the paid video contents on M-Market. Following piece of code shows the paid video auto play.

 

CONCLUSION

 

In summary, this sophisticated new malware could cause unexpected high phone bills. TrustGo recommends customers only download apps from trusted app stores and download a mobile security app which can scan malware in real-time.