Our security experts at the NQ Mobile Security Research Center recently discovered a new Android malware—UpdtBot. UpdtBot disguises itself as a system upgrade and spreads via SMS messages, which contain a link to the malicious application file.  Once installed, UpdtBot registers a remote Command and Control (C&C) server, which instructs the infected device to send text messages, make phone calls, and download and install apps.

How it works

1.       Propagation

UpdtBot spreads via SMS messages, which tell users their system is at risk and they need to install the latest system upgrade. The message contains a URL link, which claims to link to an important system upgrade but really links to the malicious app.

2.       Multiple Trigger Action

UpdtBot declares several trigger actions in its AndroidManifest.xml file, including BOOT_COMPLETED, BATTERY_CHANGED, CONNECTIVITY_CHANGE, and MEDIA_CHECKING etc. Meanwhile, it registers the receiver dynamically to receive remote commands. 3.       Communication with C&C Server

Once UpdtBot runs, it communicates with a remote C&C server.

Figure 1 Communicate with C&C Server

Once registered on the remote C&C server, it receives instructions to carry out malicious activities. It connects to 3 different URLs to send SMS messages, dial phone numbers, and download and install software.

Here are the 3 URLs and corresponding data:

Table 1 software info

Table 2 call info

Table 3 SMS info

4.       Nefarious Activities

As we illustrated above, UpdtBot can send SMS messages, make phone calls, and install software.

The following codes outline UpdtBot’s abilities:

Figure 2 sending SMS

  Figure 3 dialing

  Figure 4 installing software

 Mitigation:

Because UpdtBot disguises itself as a system update file and can be remotely controlled by its author(s), we believe it poses a serious threat to mobile users. Our research shows that more than 160,000 Android users have been affected by UpdtBot. While we don’t have any statistics on how it’s being used by the cybercriminals who created it, we believe they’ll attempt to make money off it. Once it’s installed, the malware authors can instruct it to send messages or make calls to costly, premium-rate numbers. They can also download apps, which can quickly result in a high mobile device bill.

To protect yourself from UpdtBot (and other forms of malware), we recommend that you follow a few common-sense guidelines:

1)      Only download applications from trusted sources, reputable application stores, and markets, and be sure to check reviews, ratings and developer information before downloading.

2)      Before you install an app, carefully review the “permissions” and make sure you’re comfortable with the data they’ll be accessing.

3)      Watch out for unusual or suspicious behavior on your mobile devices, such as unauthorized charges to your phone bill, text messages from unknown sources, and decreased battery life.

4)      Download up-to-date mobile security software on your mobile device, such as NQ Mobile Security, which scans your apps for malware and helps you locate a lost or stolen device. All NQ Mobile Security users are automatically protected from this malware and all other mobile threats.

We’ll keep you updated as we learn more about this threat. Check our blog, as well as our Facebook and Twitter pages, to stay up-to-date on the latest threats.