According to Kapersky Lab researchers Denis Maslennikov, Kurt Baumgartner, and Costin Raiu, this is the first time that there has been a target Android malware attack against mobile phones. Furthermore, people at Kapersky Lab had traced the malware to a Chinese server in LA.
The phishing email contained an Android Package file, “WUC’s Conference.apk”, refers to a recently concluded human rights convention organized by Chinese, Tibetan, Mongolian, and Uyghur activists in Switzerland. If the file is executed, it will display a note regarding the event. At the same time, a backdoor is also being established between the malware’s controllers and the Android system.
The malware will send a report to its server and then starts harvesting data from the victim’s device. The information gathered usually includes the phone system information, GPS coordinates, SMS messages, call logs, and contacts from both SIM card and mobile device. The information will be sent to the malware server when the mobile device receives a text message which contains “other”, “location”, “contact”, or “sms”. If any of the above keywords is found, the malware will upload it to the command and control server.
It’s been found out that the server in Los Angeles by Emagine Concept, Inc. The domain name, however, is registered in Beijing, China. The server has a web interface in Chinese language and controls infected Android devices. According to Kapersky Lab, the commands found on the interface are used to hijack certain mobile apps like the victims’ email account. Because of what Kapersky Lab found out, they deduced that the malware controllers and developers are all Chinese speakers.
Early this week, another malware attack was launched against the Tibetan activists. The malware has a similar modus operandi like the one discovered by Kapersky Lab. However, there is no conclusive evidence that both attacks were linked.