Pierluigi Paganini August 09, 2014

One million Android devices in China were infected with an Xshqi SMS worm on August 2, the day the country celebrated Valentine’s Day.

Experts at Kaspersky Lab revealed that a  malware, dubbed Trojan.AndroidOS.Xshqi.a, infected neatly 500,000 Android devices in just six hours last week in China, but Chinese media provided a more pessimistic estimate declaring that the number of infected mobile is over 1 million smartphones.

The attackers operated in conjunction of the day the country celebrated Valentine’s Day as explained by Kaspersky team.

“The fact that this Trojan combination appeared on the Chinese Valentine’s Day is premeditated, taking advantage of user credulity on this special day. And it uses social engineering techniques to spread as much as possible and infect more devices. This Trojan is a good example of why it’s always worth thinking twice about trusting a link received on your mobile phone. No matter who sends it, it could still be a malicious program.,” reported researcher Vigi Zhang in a blog post.

The malware has been classified as a mobile SMS worm, but it includes also two malicious modules, the XXshenqi.apk and its asset Trogoogle.apk, the first one is used to spread the malicious code meanwhile the other component is a backdoor.

Once a mobile device is infected by Trojan.AndroidOS.Xshqi.a, the malware sends malicious SMSs to all the contacts in the victim’s address book. The link is used by malware authors to get victims to install the Trojan as well, Trojan.AndroidOS.Xshqi.a that verify the presence of the Trogoogle.apk, if it isn’t installed it displays a dialog window to prompt the user to install Trogoogle.apk. detected by Kaspersky as Backdoor.AndroidOS.Trogle.a.

The backdoor is used by cybercriminals to perform numerous operations, for example in order to steal victim’s personal information it asks user to register the app. The backdoor also enables the attackers to control victim’s device and send different commands to perform several operations, for example to create and send text messages.

Chinese law enforcement has already identified the author of the malicious campaign, he is a 19-year-old college student that admitted creating the malicious code, but he claimed that he only did it for fun. The young man was detained in the city of Shenzhen while visiting his parents.

“I deeply regret what I have done to the phone users who were affected by the virus,” Li said, cited by the Shenzhen Daily.*

Pierluigi Paganini

(Security Affairs –  Android, Xshqi)