New Rogue Android App -- <i>RogueSPPush</i> -- Found in Alternative Android Markets

New Rogue Android App -- RogueSPPush -- Found in Alternative Android Markets

By Xuxian Jiang, Associate Professor, Department of Computer Science, NC State University

Due to the convenience, it is getting increasingly popular for users in China to subscribe to a value-added mobile service by simply sending/receiving SMS messages. However, the popularity also leads to potential SMS fraud for hidden charges. For example, some service providers (SPs) may lure mobile users into unwittingly signing up for premium SMS services. For mitigation, there is a policy (e.g., [1] issued by the Ministry of Information Industry of China in 2007) to require user-confirmation for the subscribed value-added service. In essence, the policy requires service providers to send the ordering information to users for them to confirm the subscription. Only after users have confirmed the subscription, service providers may start billing for the value-added services. As a result, the typical process for a user to subscribe to a particular mobile service involves three steps:

1: A user sends a service-subscribing SMS message to a service provider (SP).
2: The SP replies a service-confirming SMS message that contains the detailed information of the service (including the associated cost) back to user.
3: The user needs to confirm the subscription by replying back again another SMS message with certain content such as "Y." Otherwise, the user does not mean to sign up for the service and he or she should not be charged.

Our study indicates that there exist a number of rogue Android apps -- RogueSPPush -- that violate or bypass the required user-confirmation policy. More specifically, after receiving service-confirming SMS messages (about premium SMS services), these rogue apps will automatically confirm the subscription without users' awareness. Our analysis also shows that these rogue apps even attempt to remove billing messages (sent from legitimate mobile phone service providers) to prevent users from knowing about the associated charges.

How it works

RogueSPPush registers a SMS receiver in the app's manifest file with a high priority (i.e., 10000). This high priority ensures that its receiver will be notified to handle incoming SMS messages ahead of other receivers (with lower priorities).

After receiving a new SMS message, RogueSPPush retrieves the originating address and content from the message. Then it will check the message body to see whether the received SMS message is the service-confirming message that needs to be confirmed by the users. If so, it will automatically respond "Y" to this SMS message as the confirmation without user's awareness. Moreover, if the originating address of received SMS message starts with 10086 (or 10658) and the message body contains relevant service information, RogueSPPush will silently delete this SMS message. Note that the number 10086 represents legitimate mobile phone service provider (China Mobile Limited) in China and is typically used to notify users about the services they are ordering and the information of users' current balance of their mobile phone accounts. As a result, users may not know that they have been charged by SPs.

Based on a sample we analyzed, the following code snippet shows the above functionality.

Mitigation:

We found these RogueSPPush apps in unofficial Chinese Android markets. To the best our knowledge, we do not find the threat in the official Android Market. For mitigation, please follow basic, common-sense guidelines for smartphone security. For example,

download apps from reputable app stores that you trust; and always check reviews, ratings as well as developer information before downloading;
check the permissions on apps before you actually install them and make sure you are comfortable with the data they will be accessing;
be alert for unusual behavior on the part of mobile phones and make sure you have up-to-date security software installed on your phone.

Follow-ups:

08/16/2011: This article goes public
08/12/2011: We detected eight samples of RogueSPPush.

[1] http://www.xca.gov.cn/news_view.asp?id=4388 [In Chinese] (Google Translate)

Last modified: August 16th, 2011