Security Alert: New Android Malware — TigerBot — Identified in Alternative Markets

NQ Mobile Security Research Center , in collaboration with Dr. Xuxian Jiang’s team at North Carolina State University,  has recently uncovered a new malware –TigerBot. Different from most existing malware controlled through web, this malware is controlled via SMS messages. Based on our current analysis, this malware has the built-in payload to execute a variety of commands ranging from uploading current location, sending SMS messages, to even recording phone calls. Also, to hide its existence, this malware chooses not to show any icon on the home screen, but disguises with legitimate app names by pretending to be apps from legitimate vendors such as Google and Adobe.

HOW IT WORKS?

When TigerBot is being installed, there is no icon on the home screen. When being shown in the installed app list, it displays the same icons with popular apps (e.g., Google’s search app) and uses common app names (e.g., “system” or “flash”). By doing so, the malware intends to avoid being noticed by users. In the following, we show an example icon and app name reported in the app list.

TigerBot can be remotely controlled by sending SMS messages. In order to receive remote commands, it registers a receiver with a high priority to listen to the intent with action “android.provider.Telephony.SMS_RECEIVED”. As a result, it can receive and intercept incoming SMS messages before others with lower priorities.

Upon receiving a new SMS message, TigerBot will check whether the message is a specific bot command. If so it will prevent this message from being seen by the users and then execute the command accordingly. Based on our current analysis, it supports the following commands:

  • Record the sounds in the phone, including the phone calls, the surrounding sounds and etc.
  • Change the network setting.
  • Upload the current GPS location.
  • Capture and upload the image.
  • Send SMS to a particular number.
  • Reboot the phone.
  • Kill other running processes.

Our analysis shows that some of the above commands may not be perfectly supported. For example, to support the command to remotely reboot the device, it simply broadcasts the intent “android.intent.action.REBOOT”. Also, the command to kill other processes may only work on early Android versions. The following screenshot shows the code snippet in TigerBot to reboot the device.

Mitigation:

Due to the fact that TigerBot  can be remotely controlled without user’s knowledge, we believe it poses serious threats to mobile users. To avoid becoming a victim, please follow common-sense guidelines for smartphone security:

1)  Only download applications from trusted sources, reputable application stores, and markets, and be sure to check reviews, ratings and developer information before downloading.

2)  Never accept application requests from unknown sources. Closely monitor permissions requested by any application; an application should not request permission to do more than what it offers in its official list of features.

3) Be alert for unusual behavior on the part of mobile phones and be sure to download a trusted security application that can scan the applications being downloaded onto your mobile device. NQ Mobile Security users are already fully protected from the “TigerBot  threat. NQ Mobile Security  for Android is available for download at http://www.nq.com/mobilesecurity and on Android Market.

 

24 thoughts on “Security Alert: New Android Malware — TigerBot — Identified in Alternative Markets

  1. Pingback: TigerBot, nuevo malware para Android controlado por SMS

  2. Pingback: New Android Malware Controlled by SMS, Records Calls, GPS Location | VirusFreePhone.com

  3. Pingback: ‘TigerBot’ Android Malware Steals Texts, Records Phone Calls | News24

  4. Pingback: New TigerBot Android Malware Found | VirusFreePhone.com

  5. Pingback: ‘TigerBot’ Android Malware Steals Texts, Records Phone Calls | VirusFreePhone.com

  6. Pingback: RIM Fishes PlayBook Out of Google's 'Chaotic Cesspool' | BlackBerry PlayBook News

  7. Pingback: RIM Fishes PlayBook Out of Google's 'Chaotic Cesspool' | Wireless Tablets News & Reviews

  8. Pingback: RIM Fishes PlayBook Out of Google's 'Chaotic Cesspool' | Blackberry PlayBook Speakers

  9. Pingback: RIM Fishes PlayBook Out of Google's 'Chaotic Cesspool' | Tablet OS News and Info

  10. Pingback: RIM Fishes PlayBook Out of Google’s ‘Chaotic Cesspool’ - New News | Latest News | Current Events | World News | Politics & Top Online Magazine - New News | Latest News | Current Events | World News | Politics & Top Online Magazin

  11. Pingback: RIM Fishes PlayBook Out of Google’s ‘Chaotic Cesspool’ | Soundabble.me

  12. Pingback: RIM Fishes PlayBook Out of Google’s ‘Chaotic Cesspool’ « Breaking News « Theory Report

  13. Pingback: TigerBot : un malware Android contrôlé par SMS : Le Laboratoire Cyberprotect

  14. Pingback: Prom3theu5 » Blog Archive » New Android Malware Discovered

  15. Pingback: TigerBot – SMS Controlled Android Malware Stealing Information | NathdwaraTimes.In

  16. Pingback: TigerBot – SMS Controlled Android Malware Stealing Information

  17. Pingback: The Official Lookout Blog | Lookout’s take on Spyera (aka TigerBot)

  18. Pingback: SMS-controlled Malware Hijacking Android Phones

  19. Pingback: New Android malware can hack your smartphone via text | Gadgets Magazine Philippines

  20. Pingback: A Closer Look at ANDROIDOS_TIGERBOT.EVL | Malware Blog | Trend Micro

  21. Pingback: TigerBot: le nouveau malware Androïd contrôlé par SMS | Blog de la DE

  22. Pingback: Ceptera Security Newswire » A Closer Look at ANDROIDOS_TIGERBOT.EVL:

  23. Pingback: A Closer Look at ANDROIDOS_TIGERBOT.EVL | Virus / malware / hacking / security news