Thanks to Rowland Yu of SophosLabs for his behind-the-scenes work on this article.
It’s normal for Android apps to download plugins. The main application might just be a “view folder” while plugins provide much of the functionality. It’s not so normal when one of those plugins tries to steal your SMS messages.
- Related article: SophosLabs report examines Top 10 Android malware
SophosLabs has discovered two apps on Google Play with plugins that do just that. Both are from a developer named New.App. The apps have been on Google Play since May and have attracted between 100,000 and 500,000 downloads so far. Labs has detected the threat as Andr/SpyAgnt-X.
One app is billed as an app store shortcut feature, while the other is for “Skin Care Magazine”.
When the apps start, they launch a new process in the class of adb.core.Mgr to download an addition plugin called abs.plugin.as.jar from the remote website hxxp://45.79.83.140/plugin/10/abs.plugin.as.jar.
The malicious .jar payload will check if the device SDK version is between 4.2 to 4.4. If so, it then requests an SMS permission, reads all messages in the SMS inbox and sends messages to remote websites.
There are thousands of different plugins in the wild. Some of them are embedded in apps while others are downloaded dynamically at runtime. This means that distinguishing if these plugin are malicious or not will be challenging work.
SophosLabs believes we’ll be seeing more of these malicious plugins.
Defensive measures
As we mentioned above, SophosLabs has identified and protected Sophos users against the malicious plugins.
Our advice: if you see these apps in Google Play, don’t download them. We’ll continue working with Google to get them removed.
The continued onslaught of malicious Android apps demonstrates the need to use an Android antivirus such as our free Sophos Mobile Security for Android.
By blocking the install of malicious and unwanted apps, even if they come from Google Play, you can spare yourself lots of trouble.