Security Alert: New Android Malware -- HippoSMS -- Found in Alternative Android Markets
By Xuxian Jiang, Associate Professor, Department of Computer Science, NC State University
On July 10th,
my research team came across a new Android malware named HippoSMS in alternative Chinese App Markets. This malware will
incur additional phone charges by sending SMS messages to a hard-coded premium-rated number. It will also block/remove
short messages from legitimate mobile phone service providers to prevent users from knowing about the additional charges. We have tested with several leading mobile AV software and neither detected it.
How it works
Our investigation shows that HippoSMS directly piggybacks the host app so that when the app is launched,
it will immediately activate one service to send SMS messages to a hard-coded premium-rated
number (1066******). After that, it registers one ContentObserver to monitor incoming SMS messages.
Inside the ContentObserver, it will delete any SMS message if it starts with the number "10."
Note that the numbers such as 10086/10010 represent legitimate mobile phone service providers in China and
are typically used to notify users about the services they are ordering and the information of users' current
balance of their mobile phone accounts. As a result, we believe the removal of the related SMS messages
is used to hide the additional charges caused from the malware.
To our knowledge, the malware targets users in China and we do not find the threat in the official Android Market.
For mitigation, please follow basic, common-sense guidelines for smartphone security. For example,
- download apps from reputable app stores that you trust; and always check reviews, ratings as well as developer information before downloading;
- check the permissions on apps before you actually install them and make sure you are comfortable with the data they will be accessing;
- be alert for unusual behavior on the part of mobile phones and make sure you have up-to-date security software installed on your phone.
- 07/11/2011: We have been busy in contacting or being contacted from leading mobile anti-virus companies and research labs for signature extraction, including Lookout, Symantec, Kaspersky, AVG, SmrtGuard, Juniper, Sophos, Webroot, SRA, McAfee, F-Secure, ...
- 07/11/2011: This article goes online.
- 07/10/2011: We detected four instances of HippoSMS.
Last modified: July 11th, 2011