New Android malware infects 100,000 Chinese smartphones

A new piece of malware has been discovered on more than 100,000 Android smartphones in China. It generates revenue by silently downloading paid apps and multimedia content from Mobile Market, an Android app store hosted by China Mobile, one of the largest wireless providers in the world.

TrustGo, which first discovered the malware, is calling this particular threat "Trojan!MMarketPay.A@Android" and has already found it on nine app stores: nDuoa, GFan, AppChina, LIQU, ANFONE, Soft.3g.cn, TalkPhone, 159.com, and AZ4SD. The security firm also disclosed the following eight package names for the malware:

• com.mediawoz.goweather
• com.mediawoz.gotq
• com.mediawoz.gotq1
• cn.itkt.travelskygo
• cn.itkt.travelsky
• com.funinhand.weibo
• sina.mobile.tianqitong
• com.estrongs.android.pop

MMarketPay.A works by placing malicious orders at Mobile Market. Normally, a Mobile Market customer receives a verification code via SMS after purchasing an app or multimedia content, which he or she has to input back into the market to start the download. China Mobile then adds this order to the customer's phone bill.

MMarketPay.A automates this process and downloads as much as it can so that victims rack up huge phone bills. It finds paid content, simulates a click action in the background, intercepts the received SMS messages, and collects the verification code sent by Mobile Market. If a CAPTCHA image is invoked, the malware posts the image to a remote server for analysis.

In short, MMarketPay.A is a complex little bugger. If you're using an Android device on China Mobile, you may want to check your phone bill and make sure there's nothing suspicious on it.

Android lets you download and install apps from anywhere (provided you have the following option enabled: Settings => Applications => Unknown sources). If you want to minimize the chance of downloading malicious apps, please only use the official Google Play store.

See also:

• Malware charges users for free Android apps on Google Play
• Android malware families nearly quadruple from 2011 to 2012
• A first: Hacked sites with Android drive-by download malware
• Warning: Fake Biophilla app on Android is malware
• Warning: Fake Instagram app on Android is malware
• Malicious version of Angry Birds Space spotted in the wild