Security Alert: New Android Malware — UpdtBot — Spread by SMS

Our security experts at the NQ Mobile Security Research Center recently discovered a new Android malware—UpdtBot. UpdtBot disguises itself as a system upgrade and spreads via SMS messages, which contain a link to the malicious application file.  Once installed, UpdtBot registers a remote Command and Control (C&C) server, which instructs the infected device to send text messages, make phone calls, and download and install apps.

How it works

1.       Propagation

UpdtBot spreads via SMS messages, which tell users their system is at risk and they need to install the latest system upgrade. The message contains a URL link, which claims to link to an important system upgrade but really links to the malicious app.

Propagation2.       Multiple Trigger Action

UpdtBot declares several trigger actions in its AndroidManifest.xml file, including BOOT_COMPLETED, BATTERY_CHANGED, CONNECTIVITY_CHANGE, and MEDIA_CHECKING etc. Meanwhile, it registers the receiver dynamically to receive remote commands. Multiple Trigger Action3.       Communication with C&C Server

Once UpdtBot runs, it communicates with a remote C&C server.

Figure 1 Communicate with C&C Server

Figure 1 Communicate with C&C Server

Once registered on the remote C&C server, it receives instructions to carry out malicious activities. It connects to 3 different URLs to send SMS messages, dial phone numbers, and download and install software.

Here are the 3 URLs and corresponding data:

Table 1 software info

Table 2 call info

Table 2 call info

Table 3 SMS info

Table 3 SMS info

4.       Nefarious Activities

As we illustrated above, UpdtBot can send SMS messages, make phone calls, and install software.

The following codes outline UpdtBot’s abilities:

Figure 2 sending SMS Figure 2 sending SMS

 Figure 3 dialing Figure 3 dialing

 Figure 4 installing software Figure 4 installing software

 Mitigation:

Because UpdtBot disguises itself as a system update file and can be remotely controlled by its author(s), we believe it poses a serious threat to mobile users. Our research shows that more than 160,000 Android users have been affected by UpdtBot. While we don’t have any statistics on how it’s being used by the cybercriminals who created it, we believe they’ll attempt to make money off it. Once it’s installed, the malware authors can instruct it to send messages or make calls to costly, premium-rate numbers. They can also download apps, which can quickly result in a high mobile device bill.

To protect yourself from UpdtBot (and other forms of malware), we recommend that you follow a few common-sense guidelines:

1)      Only download applications from trusted sources, reputable application stores, and markets, and be sure to check reviews, ratings and developer information before downloading.

2)      Before you install an app, carefully review the “permissions” and make sure you’re comfortable with the data they’ll be accessing.

3)      Watch out for unusual or suspicious behavior on your mobile devices, such as unauthorized charges to your phone bill, text messages from unknown sources, and decreased battery life.

4)      Download up-to-date mobile security software on your mobile device, such as NQ Mobile Security, which scans your apps for malware and helps you locate a lost or stolen device. All NQ Mobile Security users are automatically protected from this malware and all other mobile threats.

We’ll keep you updated as we learn more about this threat. Check our blog, as well as our Facebook and Twitter pages, to stay up-to-date on the latest threats.

 

 

 

 

31 thoughts on “Security Alert: New Android Malware — UpdtBot — Spread by SMS

  1. Pingback: » UpdtBot: il malware che prova a colpire via SMS » News Android, - AndroidWorld.it AndroidWorld.it

  2. Pingback: UpdtBot Android malware discovered, spreads through SMS « TechGeer

  3. Pingback: UpdtBot Android malware discovered, spreads through SMS | Tech Hyppo

  4. Pingback: Android malware discovered that spreads via SMS - TabletGuru

  5. Pingback: UpdtBot: il malware che prova a colpire via SMS | buonaguida.com

  6. Pingback: Tech Gadget Reviews » UpdtBot Android malware discovered, spreads through SMS

  7. Pingback: Android Malware Comes Disguised As A Software Update

  8. Pingback: UpdtBot: il malware che prova a colpire via SMS | Svoogle News

  9. Pingback: UpdtBot Android malware discovered, spreads through SMS « Worlds Coolest & Latest Gadgets

  10. Pingback: Nový Android malware „sa vyhlasuje“ za upgrade systému | MojAndroid.sk

  11. Pingback: How to Avoid the New Android Malware (and Defective Apps) | Android News Center

  12. Pingback: How to Avoid the New Android Malware (and Defective Apps) | News in 2012

  13. Pingback: How to Avoid the New Android Malware (and Defective Apps) - News of 2012 | News of 2012

  14. Pingback: How to Avoid the New Android Malware (and Defective Apps)

  15. Pingback: Techno Day News » How to Avoid the New Android Malware (and Defective Apps)

  16. Pingback: How to Avoid the New Android Malware (and Defective Apps) | Product Information

  17. Pingback: How to Avoid the New Android Malware (and Defective Apps) | PinoyTech Reviews

  18. Pingback: New Android malware spreads via SMS | Butingtech Technology Buzz

  19. Pingback: Android Malware Being Spread By Text Messages | WebProNews

  20. Pingback: Opiso.business » Android Malware Being Spread By Text Messages

  21. Pingback: Android Malware Being Spread By Text Messages | Android News Center

  22. Pingback: New Android malware spreads via SMS | VirusFreePhone.com

  23. Pingback: New Android malware spreads via SMS

  24. Pingback: Android Malware Being Spread By Text Messages | Gregory D. Evans

  25. Pingback: Android Malware Being Spread By Text Messages | Netbook

  26. Pingback: BlogDesign - Android Malware Being Spread By Text Messages - BlogDesign

  27. Pingback: Android Malware Being Spread By Text Messages | O-I Newswire

  28. Pingback: New Android Malware Spreads by Text Message | News24

  29. Pingback: Jo 160 000 Android-laitetta tekstiviestiviruksen uhrina « Ajanhermolla.

  30. Pingback: UpdtBot Named New Android Malware Spreads By SMS | GoAndroid

  31. Pingback: 信息安全意识博客 » Blog Archive » 网络信息安全双周期刊40期