Security Alert: New Rogue App RogueLemon Found in Alternative Chinese Android Markets
By Xuxian Jiang, Associate Professor, Department of Computer Science, NC State University
Nowadays, smartphone users in China tend to subscribe the value-added service such as buying
ringtones and eBooks by simply sending SMS messages to particular service provider's number
(i.e. SP number). Unfortunately, the convenience also leads to potential SMS
fraud for hidden/unwanted charges, causing financial loss to users. In order to mitigate this
problem, there is an official policy (enforced in China) that requires user-confirmation for
the subscribed value-added service. In essence, the policy requires service providers to
send the ordering information to users for them to confirm the subscription. Only after users
have confirmed the subscription, service providers may start billing for the value-added services.
As a result, the typical process for a user to subscribe to a particular mobile service
involves three steps:
- 1: A user sends a service-subscribing SMS message to a service provider (SP).
- 2: The SP replies a service-confirming SMS message that contains the detailed information of the service
(including the associated cost) back to user.
- 3: The user needs to confirm the subscription by replying back again another SMS message with certain
content such as "Y." Otherwise, the user does not mean to
sign up for the service and he or she should not be charged.
We have earlier detected a number of rogue apps (named
RogueSPPush) which violate this policy. This week,
my research team, in collaboration with NQ Mobile,
identified an additional set of rogue apps which similarly violate this policy. One difference however
is that instead of hard coding the content and destination number of confirming (SMS) messages, it
retrieves the content and destination number from a remote (C&C) server.
In addition, presumably with the intention to bypass the detection by existing mobile anti-virus software,
the destination number(s) are received in the form of being encrypted. RogueLemon has the decryption
code in place to uncover the original destination number for automatic confirmation.
How it works
RogueLemon registers a SMS receiver in the app's manifest file with a high priority
(i.e., 99999). This can ensure that its receiver will be notified to handle incoming SMS
messages before other receivers (with lower priorities).
When receiving the new SMS message, RogueLemon retrieves the originating address
and its content from the message. Then it will check whether this message is from the
service provider with the information of the subscribed value-added service, which
needs to be confirmed
by the the user. If so, instead of notifying users about this new incoming SMS message, it
will hide this message to prevent user from knowing about it. At the same time,
RogueLemon connects to a remote server with
the originating address and content of the received SMS message and retrieves the response
from remote server. According to our analysis, this response contains the
(encrypted) phone number and the (plain text) content of SMS message. Then this plain
text SMS message will be sent to the decrypted phone number to finish the
subscription of the value-added service in the background without user's awareness.
The following figure shows this process.
Mitigation
We found these RogueLemon apps in unofficial Chinese Android markets. To the best our
knowledge, we do not find the threat in the official Android Market. For mitigation,
please follow basic, common-sense guidelines for smartphone security. For example,
- download apps from reputable app stores that you trust; and always check reviews,
ratings as well as developer information before downloading;
- check the permissions on apps before you actually install them and make sure you
are comfortable with the data they will be accessing;
- be alert for unusual behavior on the part of mobile phones and make sure you
have up-to-date security software installed on your phone.
Follow-ups
- 10/19/2011: This article goes public.
- 10/11/2011: We detected the first RogueLemon instance.
Last modified: October 19, 2011