Security Alert: New TigerBot Malware Found in Alternative Android Markets

By Xuxian Jiang, Associate Professor, Department of Computer Science, NC State University

Mobile malware continues to show up in the application markets. Most recently, my research team, in collaboration with NQ Mobile, has discovered a new malware called TigerBot in popular third-party Android markets. Different from most existing malware controlled through web, this malware is controlled via SMS messages. Based on our current analysis, this malware has the built-in payload to execute a variety of commands ranging from uploading current location, sending SMS messages, to even recording phone calls. Also, to hide its existence, this malware chooses not to show any icon on the home screen, but disguises with legitimate app names by pretending to be apps from legitimate vendors such as Google and Adobe.

How it works

When TigerBot is being installed, there is no icon on the home screen. When being shown in the installed app list, it displays the same icons with popular apps (e.g., Google's search app) and uses common app names (e.g., "system" or "flash"). By doing so, the malware intends to avoid being noticed by users. In the following, we show an example icon and app name reported in the app list.

TigerBot can be remotely controlled by sending SMS messages. In order to receive remote commands, it registers a receiver with a high priority to listen to the intent with action "android.provider.Telephony.SMS_RECEIVED". As a result, it can receive and intercept incoming SMS messages before others with lower priorities.

Upon receiving a new SMS message, TigerBot will check whether the message is a specific bot command. If so it will prevent this message from being seen by the users and then execute the command accordingly. Based on our current analysis, it supports the following commands:

Our analysis shows that some of the above commands may not be perfectly supported. For example, to support the command to remotely reboot the device, it simply broadcasts the intent "android.intent.action.REBOOT". Also, the command to kill other processes may only work on early Android versions. The following screenshot shows the code snippet in TigerBot to reboot the device.

Mitigation:

We found this malware in unofficial Chinese Android markets. To the best of our knowledge, we do not find the threat in the official Android Market. For mitigation, please follow common-sense guidelines for smartphone security. For example,

Last modified: April 6, 2012