Multi-platform malware poses a threat to mobile users, especially those using a Windows operating system PC

Beginning in 2012 NQ Mobile’s Security Research Center began looking out for a possible evolution of cross-platform malware. That is malware that infects a mobile and a desktop platform at the same time.

Malware authors needed to find novel ways of infecting mobile devices more rapidly. One way to do that was to infect an already established ecosystem such as personal computers. The Windows operating systems are the most widely used in the world. So, this would be a likely place for a malware author to start. With this in mind, a malware author could hijack a legitimate Google Android app that would then exploit wireless and USB synchronization between the Android device and the PC. These threats have recently been discovered and the NQ Mobile Security Research Center expects to see more of these types of threats in the near future.

Infection path 1 – AutoRun at USB synchronization between mobile device and PC

The NQ Mobile Security Center was able to identify and confirm a threat that appeared last month on Google Play1,which uses USB synchronization. The malware hijacked a legitimate Android cache cleaning app. When the mobile device was synchronized with the PC, the malicious app delivered a “USB AutoRun Attack”. Many will recognize AutoPlay as the feature that starts when a CD/DVD is inserted or when a device is connected via USB on Windows platforms.

What is AutoRun? It is a plain text-based configuration file (Autorun.inf) that enables designated files to automatically run when an AutoRun-enabled drive (i.e. USB, flash drive) is inserted into the PC. Therefore, it’s very easy for malware writers to obfuscate their malicious code.

What is the threat? Malware writers will target the Autorun.inf file on Windows-based systems with a worm or Trojan that then attempts to load a rootkit. The malware, which may be also be a worm or Trojan, will try to copy itself to all drives including removable drives such as, flash drives, MP3/MP4 players and mapped network drives. Some worms/Trojans will also attempt to disable Windows-based antivirus software.

The difference in this most recent discovery is that it delivers a svhosts.exe file to a Windows machine once a user connects via USB to their Android device. More than one instance of svhosts can be running services/applications by default on a Windows PC. It is this multiple instance of svhosts running on Window, which is where the problem lies.

Malware authors can inject a backdoor into an svhosts file which allows cyber criminals to access a Windows machine and download a malicious file that steals sensitive data or capture keystrokes (called a keylogger) as the user accesses an online bank account or other financial site. This information is normally encrypted and sent to a command & control server (C&C) in locations such as the Ukraine, Russia or Brazil.

Did you know? svhosts doesn’t use .exe to load files. It uses .dll instead, which is why this malware may evolve into a self-propagating variant.

Infection path 2 – Android is used to deliver the Windows malware payload

In addition to the root of the SD card, it’s also possible that malware authors could store these files in the “miscellaneous files” folder or any other non-system Android folder in the device’s memory. Once the Android device connects to Windows, svhosts would be automatically executed.

Did you know? Android Jelly Bean now has the ability to apply a permission to read contents of an SD card. This isn’t being enforced by Google right now.

Protecting Windows AutoRun from cross-platform attack

Given the malware threat posed by the Autorun.inf file, NQ Mobile suggests two options ALL users should consider:

Option 1:

Windows XP/Vista

This type of attack will not work if the user is running Windows XP/Vista with a February 2011 “AutoRun disabled by default” patch. It isn’t known right now, just how many users who are running XP/Vista without this patch – probably a high percentage given this patch was not an automatic install! Check out: http://support.microsoft.com/kb/971029 on how to download and install this patch.

Windows 7 & 8

Microsoft fixed this issue with Windows 7 and 8, disabling the AutoRun feature by default. It is also worth noting that Win32/AutoRun remains the most popular for malware families on Windows platforms. Expect malware authors to find work-arounds here and with wireless synchronizing.

Option 2:

Disable the AutoRun functionality in Windows. Here is one simple way to disable AutoRun using a Windows Registry hack:

  • Open Notepad and copy/paste the following text >
  • REGEDIT4
  • [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\IniFileMapping\Autorun.inf]
    @=”@SYS:DoesNotExist”
  • Change the “Save File as Type” to “All Files” before saving.
  • Save as ‘disableautorun.reg’ to your desktop
  • Double-click the file to run it. This will add the data above to the Windows Registry

Did you know? Mobile security apps provide ongoing protection beginning before the download of apps and software. NQ Mobile Security™ detects and quarantines this malware prior to installation of the malicious files on an SD card.

1Google Bouncer cloud scans apps before they are released to the Play Store. Android 4.2 also has a function called ‘Verify Apps’. This disallows or warns users before installation of potentially malicious Play Store and 3rd-party market apps. This option is enabled on Android 4.2 devices by default.

Note: Recent investigation from a respected researcher suggested ‘Verify Apps’ only detected 15% of known malware. Given this research, it’s even more important to also use a mobile security solution to protect an Android device.

______________________________________________________________________________

As the world’s largest mobile security provider, NQ Mobile believes families should possess the most comprehensive knowledgebase on all aspects of mobile security and privacy when using Android, BlackBerry, Symbian, Windows Phone and Apple iOS devices. NQ Mobile aims to inform and educate families on the current and future threats and suggest simple methods on how to stay safe and not end up in financial debt when using a mobile device.

Security Alert: VDLoader–Android Malware Disguised as SMS Messages

NQ Mobile’s Security Research Center has just discovered VDLoader, another new Android malware. This one not only loads uninvited, infected apps into your phone, it automatically upgrades itself, as well.

Researchers have found VDLoader to be the first one with the ability to auto-update. The fact that it can bring infected apps and URLS to your phone makes it a considerable threat.

How it works
This malware injects itself into normal apps and hides there until it broadcasts itself. There’s no corresponding icon in the phone’s app table, so you won’t know it’s there. When signaled, it starts its dirty work , connecting to the Internet to receive commands from its remote server, which instructs it to download infected apps without your knowledge. VDLoader comes disguised in SMS notifications, or text messages. It not only causes unnecessary data flow consumption which could lead to financial loss, but also launches a serious security threat into your smartphone.

1. Ciphering
VDLoader encrypts several important strings in the codes using AES algorithms, thus introducing more difficulties in analyzing it. The malware can parse the decrypted string and extract the server’s address.

2. Interacting with server
It first collects the information of applications installed on the phone, and sends the list of their package names via HTTP request.

The server will reply with a command that contains the information about which application to download, including the package name, and the URL of the package.

Through the parsing of that command, it gets the URLs to connect, then downloads the specific apps, storing them under /sdcard/download.  Camouflaged as SMS notifications, apps will be installed when the user clicks the detailed items in the fake SMS message. The downloaded applications, zj_flashlight.apk and zj_NinjaChicken_other.apk are the variants of VDLoader, and demonstrate similar behaviors.

Protect Yourself from VDLoader
NQ Mobile Security users are already fully protected from VDLoader and all other malware threats. If you don’t have a powerful mobile security application on your phone, we recommend that you take the following precautions to prevent any damage from VDLoader (and other threats):

  • Only download applications from trusted sources, reputable application stores, and markets. Be sure to check reviews, ratings, and developer information before you download anything.
  • Never accept application requests from unknown sources, and closely monitor permissions requested by any application. An application shouldn’t request permission to do more than what it says it will do in its privacy policy.
  • Look out for unusual behavior on your smartphone, such as your device shutting down unexpectedly or displaying constant pop-up messages.

 

Security Alert: New Malware — DyPusher — Invades Privacy and Causes Financial Loss

NQ Mobile’s Security Research Center recently uncovered new Android malware, which we named DyPusher. DyPusher is different from other app pushers we’ve seen in the past. Not only does it communicate with a remote server, but it also dynamically downloads and loads JAR files while also downloading apps without the user’s consent.

DyPusher is capable of uploading your device information and comparing it with the installation list. In addition, DyPusher downloads apps from the internet without your user’s consent, causing expensive data flow consumption.

How Does It Work?

Without an icon shown in the application table, DyPusher hides itself deeply using a package name that begins with “com.android.” This allows it to be easily mistaken as just another normal Android system component. DyPusher begins its dirty work with a system booting. First, it collects your device’s information and uploads it to a remote service. When it receives this information, the server responds with an encrypted string, which is actually a downloaded URL.

Uploading device informationOnce it retrieves the encrypted string, DyPusher decrypts the string using a decrypting algorithm in the SO file. After it’s decrypted, the string turns into an URL, and DyPusher links to the URL to download a JAR file, which can be dynamically loaded in the background. The encrypted string and the algorithm hidden in the SO file tactfully evade the traditional detecting mechanism, making it very difficult to analyze.

The encrypted string and algorithm The downloaded JAR file is then loaded. It contains a string of package names, which it compares with the package names that were installed. If the package name isn’t  found in the installed package list, it’ll download the app from the server silently.

The downloaded JAR file is then loaded. We also found an XML file in the original APK file, which keeps a table of several apps’ package names and hash values. We believe that, based on this XML, DyPusher can download a variety of JAR files containing different strings of package names.

DyPusher can download a variety of JAR files containing different strings of package names.

 

Protect Yourself from DyPusher

NQ Mobile Security users are already fully protected from DyPusher and other malware threats.  If you don’t have a powerful mobile security application on your phone, we recommend that you take the following precautions to prevent any damage from DyPusher (and other threats):

  • Only download applications from trusted sources, reputable application stores, and markets. Be sure to check reviews, ratings, and developer information before you download anything.
  • Never accept application requests from unknown sources, and closely monitor permissions requested by any application. An application shouldn’t request permission to do more than what it says it will do in its privacy policy.
  • Look out for unusual behavior on your smartphone, such as your device shutting down unexpectedly or displaying constant pop-up messages.

 

Security Alert: New Malware — FireLeaker — Takes Your Contacts Without Permission

NQ Mobile’s Security Research Center recently uncovered new Android Malware, which we’ve called FireLeaker. This is one we’re watching closely, as it puts users’ privacy in serious jeopardy. Disguised as a widget silently hidden behind your smartphone, FireLeaker can collect information from your contacts and upload them to a remote server.

Your address book in your smartphones is where some of your most private data is stored.  When you’re using your smartphone, there are many ways that scammers (or even overzealous marketers) can get to this information without your knowledge. Fortunately, your privacy can be protected if you take a few simple precautions to make sure the bad guys can’t get to your private contacts. Let’s start by understanding how this malware works.

How it works

FireLeaker starts with a system boot, while launching its malicious service:

System bootOnce the malicious service starts, FireLeaker collects information about your contacts by accessing your system database file, retrieving your contacts, such as your mail address, telephone number, and other personal information.

Accessing your system database fileAs well as the contacts information, FireLeaker collects device information, such as your IMEI and service provider name.

FireLeaker collects device informationWhen an SMS is received, it also resolves the message information.

After it accesses all your data, FireLeaker starts uploading all the information it collected. It implements a timer to connect to the server every four minutes. Reach server URL is encrypted and FireLeaker will pick one of them randomly when it uploads them. The decrypted and encrypted URLs are listed below.

Resolving the message information

 

Protect Yourself from FireLeaker

NQ Mobile Security users are already fully protected from FireLeaker and all other malware threats.  If you don’t have a powerful mobile security application on your phone, we recommend that you take the following precautions to prevent any damage from FireLeaker (and other threats):

  • Only download applications from trusted sources, reputable application stores, and markets. Be sure to check reviews, ratings, and developer information before you download anything.
  • Never accept application requests from unknown sources, and closely monitor permissions requested by any application. An application shouldn’t request permission to do more than what it says it will do in its privacy policy.
  • Look out for unusual behavior on your smartphone, such as your device shutting down unexpectedly or displaying constant pop-up messages.

 

Security Alert: New Android Spyware—LoveSpy—SMS controlled spyware

NQ Mobile’s Security Research Center recently uncovered new Android spyware, and we named it after its package name — LoveSpy. It was first found in Google Play and was removed from the market soon after its discovery. This app was described as “Very simple but very powerful to see received sms and calls on a target phone! No internet connection needed but beware it will use SMS so be carefull!”  It is controlled by SMS, and silently runs in the background.

How it works

LoveSpy disguises itself as a system setting and won’t appear as an icon in the application table.

LoveSpy disguises itself as a system setting

LoveSpy starts when the device boots up, and registers a receiver to monitor incoming SMS. When successfully launched, LoveSpy will send the five latest call records to a specific number “3453358959” to test if it works properly.

When the SMS is received, LoveSpy has priority over the system to resolve the message body. If the message contains specific instructions LoveSpy will hide the message from the user and complete the instruction.

Instructions and their corresponding functions are in the following table.

LoveSpy instruction table

 

Protect Yourself from LoveSpy

NQ Mobile Security users are already fully protected from LoveSpy and all other malware threats.  If you don’t have a powerful mobile security application on your phone, we recommend that you take the following precautions to prevent any damage from LoveSpy (and other threats):

  • Only download applications from trusted sources, reputable application stores, and markets. Be sure to check reviews, ratings, and developer information before you download anything.
  • Never accept application requests from unknown sources, and closely monitor permissions requested by any application. An application shouldn’t request permission to do more than what it says it will do in its privacy policy.
  • Look out for unusual behavior on your smartphone, such as your device shutting down unexpectedly or displaying constant pop-up messages.
  • Download NQ Mobile Security for Android today to make sure you’re protected against mobile malware and other privacy threats.

Security Alert: New Android Malware—DDSpy—Fake Gmail Steals Your Privacy

NQ Mobile’s Security Research Center recently uncovered new Android malware—DDSpy—which disguises itself as Gmail and runs silently in the background, stealing your personal data. If you’re infected with this malicious application, you won’t see an icon for it. Instead, it will hide in your app list and wait for instructions from a remote server, which will send commands via SMS.

When DDSpy receives a command, it will configure the uploading email address and determine what content to steal. Our research shows that it’s capable of uploading the user’s SMS, call log, and vocal records. In addition, it reserves a GPS-uploading interface for future development. Because of this strange activity, we are concerned that it will evolve into more malicious spyware.

 

How it works

When DDSpy is installed, it waits for a remote server (controlled by the malware author) to send these messages: “BOOT_COMPLETED”, “SMS_RECEIVED” and “PHONE_STATE.” Once these messages are received, it starts stealing and uploading your personal information.

1.     Email Configuration

There’s a default email address coded in DDSpy, which can also be configured by SMS command. The command includes the following: command flag, receiving email address, sending email address, and password and uploading time.

2.     Call Recording

DDSpy starts recording on two occasions, when it detects outbound calls, and when it’s configured by SMS. The SMS command defines when the recording starts and stops, and sets recording time. Both of the above occasions can start the recording service in the background. The service starts recording and stores the rec file in SDCard/DCIM/.thumbnails/ directory.

 

3.     Information Preparation

Once it calls out and receives SMS messages, DDSpy adds a row into the database it maintains. Because DDSpy is installed into the Android device without your knowledge, you won’t see any signs that you’ve been bugged. However, every call you make and every SMS message you send will be recorded in the database to be uploaded in the configured email.

4.     Uploading

The uploading process is also configurable. A default uploading mode is coded in the application. At a certain time each day, DDSpy sends the information it has collected to an email address in a proper format. The sent email contains the SMS records, call log, and vocal records of the call.

5.     Further Study

Some personal information is related to financial business, such as your online bank account number. If this important and confidential information is leaked, your data could be at risk of theft. During our analysis, we found some unused interfaces that used GPS technology. For this reason, we expect this malware to evolve and we will keep an eye on this trend.

 

Protect Yourself from DDSpy

NQ Mobile Security users are already fully protected from DDSpy and all other malware threats.  If you don’t have a powerful mobile security application on your phone, we recommend that you take the following precautions to prevent any damage from DDSpy (and other threats):

  • Only download applications from trusted sources, reputable application stores, and markets. Be sure to check reviews, ratings, and developer information before you download anything.
  • Never accept application requests from unknown sources, and closely monitor permissions requested by any application. An application shouldn’t request permission to do more than what it says it will do in its privacy policy.
  • Look out for unusual behavior on your smartphone, such as your device shutting down unexpectedly or displaying constant pop-up messages.

New Android Malware—DSMSbot—A Costly and Malicious App

NQ Mobile’s Security Research Center recently discovered DSMSbot, a new Android malware that masquerades as a system service and sends premium-rate SMS messages from infected phones.

At the beginning of 2012, our research team made some predictions about mobile malware. They predicted that we’ll see more SMS-related fraud scams that charge users high rates for SMS messages and collect users’ personal data. Our team couldn’t have been more on target with this prediction. We’re not even halfway through the year and we’ve already seen numerous SMS-related malware cases.

DSMSbot is our latest SMS-related malware discovery. It disguises itself as a system upgrade and spreads via SMS messages. Once installed, DSMSbot registers a remote Command and Control (C&C) server, which instructs the infected phones to send SMS messages to premium (and very expensive) numbers and collect information about victims.

How it works

A few months ago, we saw a wave of Russian malware that sent premium-rate SMS messages. DSMSbot is similar to these types of malware in some ways—it’s from Russia and it sends premium-rate SMS messages. However, in previous malware cases, the premium numbers and code were hardcoded in configuration files. DSMSbot retrieves the premium number and code online.

DSMSbot doesn’t show up as an icon. Instead, it hides among the system components on your phone, making it difficult to distinguish from the other system components.

Once it’s installed on your phone, DSMSbot checks in with the C&C server it’s been instructed to communicate with. It collects and shares information about your phone, including your phone’s IMEI number, model, and operating system version. It also shares your contacts list and other information about you.

When the server receives this information about your phone, it responds with specific instructions in a fixed format. These instructions include a premium-rate number and code, as well as a list of keywords contained in the receipt SMS. Like other types of SMS-related malware, DSMSbot intercepts any receipt SMS messages from the SMS service to make sure you don’t become aware of the charges you incur when the messages are sent.

By tracking the evolution of Russian SMS-related malware, it’s clear that malware authors are finding more sophisticated ways to make money off this type of malware. Because they can only send premium-rate SMS messages for a short time (until victims figure out what’s going on), they’re finding new ways to make sure victims don’t detect the malware or outgoing premium-rate messages. DSMSbot uses a remote server, rather than a local one, to ensure that the malware is harder to detect.

Protect Yourself from DSMSbot

NQ Mobile Security users are already fully protected from DSMSbot and all other malware threats.  If you don’t have a powerful mobile security application on your phone, we recommend that you take the following precautions to prevent any damage from DSMSbot (and other threats):

  • Only download applications from trusted sources, reputable application stores, and markets. Be sure to check reviews, ratings, and developer information before you download anything.
  • Never accept application requests from unknown sources, and closely monitor permissions requested by any application. An application shouldn’t request permission to do more than what it says it will do in its privacy policy.
  • Look out for unusual behavior on your smartphone, such as your device shutting down unexpectedly or displaying constant pop-up messages.

New Android Malware—GeofeeBot II—Infects 20,000 Smartphones

NQ Mobile’s Security Research Center recently uncovered GeofeeBot II, an upgraded form of GeofeeBot. The original GeofeeBot was one of the most sophisticated fee consuming programs infecting Android Devices. And we believe that GeofeeBot II is even worse. It hides in popular games, such as “Plants vs Zombies,” and has currently infected more than 20,000 devices. Once it infects your device, it communicates with remote command and control (C&C) servers for further instructions (which will cost you money).

Unlike earlier repackaged malware, GeofeeBot II’s malicious code is embedded in a legitimate app’s packages, instead of being an independent package. It also has the ability to send SMS messages to different service provider (SP) numbers, based on the infected device’s location, while hiding these messages from the smartphone’s owner.

How it works

Once it’s activated, GeofeeBot II registers a receiver to:

  • Communicate with remote command and control (C&C) servers for further instruction.
  • Send out premium-rate SMS messages, based on the user’s GPS location, incurring fees (typically high ones) for the users.
  • Block any receipt SMS messages so users can’t see what’s going on.

The receiver can deal with incoming SMS messages before the system does. As a result, any suspicious activity usually goes unnoticed.

GeoFeeBot II uses a device’s GPS capabilities to find the location of the infected device. If that fails, it’ll try to get the infected user’s cell phone number or identification. Once it gets one of these pieces of data, GeoFeeBot II queries location using the Google Map API to find out where the device is located. GeoFeeBot then tries to find an SP number matching the location in its SP number database.

The malicious capabilities of GeofeeBot II are extensive. This malware can send messages to a remote server, containing a smartphone’s GPS information, SP name, and application name. According to the SP name and GPS information, the server responses with a command, containing the number of SMS messages to send, the premium-rate number, and the premium-rate code. Once these messages are sent, infected users usually don’t find out about them until they start incurring high mobile phone bills.

Our researchers have uploaded different GPS and SP data to the server, and have verified that it responds with different commands to different GPS and SP combinations. This is exactly what the first generation of GeofeeBot did. However, GeofeeBot II now sends the commands to a remote server instead of storing them in local servers, making this malware smarter and more flexible.

Meanwhile, it can download a configuration table from the server, indicating which SMS messages should be blocked from infected users and what content should be included in these messages.

Protect Yourself from GeofeeBot II

NQ Mobile Security users are already fully protected from GeofeeBot II and all other malware threats.  If you don’t have a powerful mobile security app on your phone, we recommend that you take the following precautions to prevent any damage from GeofeeBot II (and other threats):

  • Only download applications from trusted sources, reputable application stores, and markets. Be sure to check reviews, ratings and developer information before you download anything.
  • Never accept application requests from unknown sources. Closely monitor permissions requested by any application. An application shouldn’t request permission to do more than what it offers in its official list of features.
  • Look out for unusual behavior on your smartphone, such as your device shutting down unexpectedly or displaying constant pop-up messages.
  • Download NQ Mobile Security for Android today.

 

Security Alert: New Android Malware—CalDX—Wreaks Havoc on Your Calendar

NQ Mobile’s Security Research Center recently uncovered CalDX, new Android malware, which sends costly, premium-rate SMS messages from your smartphone. It also blocks the receipt for these SMS messages silently so most victims don’t realize what’s going on until they’re hit with a high phone bill. We’ve seen quite a few cases of SMS malware lately (in fact, we just blogged about this trend) but this one is different. CalDX also has the ability to exploit your calendar to store its malicious codes, rather than storing them in a common database or configuration table.

CalDX repackages itself in other legitimate apps, which have mostly been tool applications, such as compass, flashlight and other similar apps. The simple interfaces hide their malicious behaviors deeply and the unique storage method makes it difficult for analysts to catch.

How It Works

Once CalDX receives the broadcast of “SMS_RECEIVED” and “BOOT_COMPLETED”, it kicks off malicious services in the background. One service registers a receiver to deal with the incoming SMS messages as a backup of the one registered in a file called AndroidManifest.xml.

Image 1Another service conducts most of the malicious acts. Firstly, it sends a register SMS message to an appointed number so that the malware author can take control of the device. Next, CalDX sends data to the calendar.  This data contains of 4 parts: the premium rate number, premium rate code, the date to send SMS messages and the flag indicating sending status. Our researchers have found that CalDX can lurk in your device for 3 months, disguised as friendly app but really costing you money by sending premium SMS messages.

Image 2In addition, as the malware author retrieves the mobile number, CalDX receives the command SMS from the malware author. When it does, CalDX can update the new premium number, code and sending date to the calendar automatically, making sure that all command and receipt messages are blocked from the user.

Protect Yourself from CalDX

NQ Mobile Security users are already fully protected from this and all other malware threats.  If you don’t have a powerful mobile security app on your phone, we recommend that you take the following precautions to prevent any damage from OsSpy (and other threats):

  • Only download applications from trusted sources, reputable application stores, and markets. Be sure to check reviews, ratings and developer information before you download anything.
  • Never accept application requests from unknown sources. Closely monitor permissions requested by any application. An application shouldn’t request permission to do more than what it offers in its official list of features.
  • Look out for unusual behavior on your smartphone, such as your device shutting down unexpectedly or displaying constant pop-up messages.
  • Download NQ Mobile Security for Android today.


Security Alert: New Android Malware—OsSpy—Works as a Malicious Team

NQ Mobile’s Security Research Center recently uncovered new Android malware, which hides in the background and tells scammers your location. We named this malware—which is actually a pair of threats—OsSpy because it spies on you without your knowledge if you’re infected.

OsSpy is all about teamwork. This deceptive duo works together so that neither threat can be uninstalled easily. Once the first malicious application is installed, it makes sure that the other is immediately installed. If you’re infected and able to successfully uninstall one of the apps, the other one will constantly send you pop-up messages, telling you to install the other app. This annoying tactic will make your device harder to operate, as you’ll be constantly bombarded with pop-up messages. To make matters worse, OsSpy will send an SMS message to the malware author (at a certain number) to alert the scammer that you’ve uninstalled one of the apps.

How It Works

The two malicious apps that make up the OsSpys threat work as a team. To help you understand this concept, think of the apps as a pair—there’s a chief app and an accessory app. Both apps work hard to protect each other.

The accessary app exists primarily to protect the chief app from being uninstalled. It registers a receiver in the code that alerts it when the chief app is uninstalled. This alert triggers a constant series of pop-up messages, which say things like “Android system process will be shut down! Clicking button to fix it.”  If you click this button, the accessary app will try to reinstall the chief app. If it’s unable to reinstall the chief app, it will send pop-up messages over and over until it succeeds in getting the app reinstalled.

When the app is uninstalled, it will also send an SMS message from your phone (without your consent) to the malware author’s number, warning the scammer that you uninstalled the app.

The chief app has two main goals:

  1. To upload your location information
  2. To protect the accessory app from being uninstalled

As soon as the chief app is installed on your device, it starts working on these two tasks.  It starts with a receiver, which detects the broadcast of ”BOOT_COMPLETED”, meaning that OsSpy can launch once the Android system boots. It then calls a thread to collect your device’s information, including any GPS tracking information, and upload your data to a remote server. Here’s the address it uses:

http://www.***gps.com.cn/***ine

Protect Yourself from OsSpy

NQ Mobile Security users are already fully protected from this and all other malware threats.  If you don’t have a powerful mobile security app on your phone, we recommend that you take the following precautions to prevent any damage from OsSpy:

  • Only download applications from trusted sources, reputable application stores, and markets. Be sure to check reviews, ratings and developer information before you download anything.
  • Never accept application requests from unknown sources. Closely monitor permissions requested by any application. An application shouldn’t request permission to do more than what it offers in its official list of features.
  • Look out for unusual behavior on your smartphone, such as your device shutting down unexpectedly or displaying constant pop-up messages.
  • Download NQ Mobile Security for Android today.