In China, some mobile phone geeks like to refresh their Android machines with images from the Internet. For some mobile phone dealers, this makes good business. They can earn extra money from refreshing phone ROMs for those users who want to erase a lot of useless applications in the original ROMs.
However, making an Android ROM image is not very difficult, which makes refreshing Android devices dangerous. Once malware has been added to an image, it is hard to get rid of it.
Android/Huigezi.A runs at boot up, and when SMS messages come in and calls go out. It runs as a service in the background, and poses as a system service. Once started, it sets up a timer to restart itself every 30 minutes.
- Send SMS messages
- Post sensitive information–IMEI, IMSI, device model name, phone number, carrier name–to remote server
- Download some install packages and install them silently
- Retrieve SMS messages and store them to a hash map
- Set up SMS messages to be blocked
- Download a dex file, and load the class in it
- Create a shell for the remote server
Android/Huigezi.A is very different than other mobile Trojans. It is more flexible for hackers to launch attacks and harder for victims to become aware of its presence. Most important: It could hide in an Android image. Users probably need to refresh their ROM images, or get root privileges and uninstall the malware with command tools, not easy task for most people.