Fortinet Blog | News and Threat Research

Denis Maslennikov reported a new SMS trojan, Android/Mania, which emanates from France. This malware hasn’t any outstanding functionality - it silently sends SMS messages to a short number, something we only see too often in mobile malware - except it happens to clearly originate from France. As our European lab is based in France, we investigated it with particular interest. Thanks Denis for sharing.

What we learned in a few points:

* All samples we got our hands on send 7 SMS messages to the same French short number 84242. This is a “SMS+” short number, and it is legitimately rented to various service providers. The malware sends SMS with the body MANIA, TEL or QUIZ.

* If the infected phone receives a response from 84242 (e.g a notification of service), the malware forwards the incoming SMS to one of 4 French mobile phone numbers. Those 4 phone numbers correspond to prepaid subscriptions and there is strong indication they were bought by the same person.

* Mania is a variant of Foncy: the 4 prepaid mobile phone numbers were used by authors of Android/Foncy.Thus, we detect Mania as Android/Foncy.C!tr.dial.** **

* Intentionally or not, the malware trashes all other incoming SMS messages on the phone. So, if your phone is unable to receive SMS and your subscription goes up, you might be infected with Mania. Check it up!

* The malicious samples include screenshots of a few other apps. Our best guess is that the malware author probably also trojaned those tools, so be extra cautious if you plan on installing an unofficial version of Walk and Text, Mortal Combat 3, The Sims 3 or Parricus. If you believe you have an infected sample, please report to submitvirus (at) fortinet.com.

* The Mania samples we analyzed were very similar among them, and might have been generated by an in-house script. For example, AndroGuard shows that the code of two Android/Mania samples only differ by the message body they send to the short number:

./androdiff.py -i 039.apk D15.apk
Elements:
         IDENTICAL:     6
         SIMILAR:       1
         NEW:           0
         DELETED:       0
         SKIPPED:       0
[ ('Lcom/rvo/plpro/AndroidSecurityActivity;', 'onCreate', '(Landroid/os/Bundle;)V') ]
<-> [ ('Lorg/baole/app/blacklistpro/BlackListProActivity;', 'onCreate', '(Landroid/os/Bundle;)V') ]
onCreate-BB@0x0 onCreate-BB@0x0
Added Elements(1)
        0xa 2 const-string v3 , [ string@ 42 'TEL' ]
Deleted Elements(1)
        0xa 2 const-string v3 , [ string@ 40 'QUIZ' ]

– the Crypto Girl