Almost a year ago we reported the emergence of Android “NotCom” malware. Much of the malware was distributed in email links sent from compromised email accounts. What was notable then was the use of the same link to direct users to different destinations based on the visiting device. PC or iOS users were sent to a diet scam site while Android users were singled out with a malware download.
The method and the malware package “security.update.apk” have recently resurfaced. Once again non-Android users are sent to a diet scam page (touting garcinia cambogia).
Malware Analysis
This year’s version is very similar to the NotCom.A that spread a year ago but is more sophisticated, featuring encryption and a P2P function. Some vendors refer to the malware as Nioserv.
The malware creates a service that runs in the background called “com.security.patch”. Going through the code it seems like it creates a proxy and is then used as a P2P client. All the data that it sends out is encrypted. Our AV lab did a test to see how much data was being sent and received by the malware and it turns out quite a lot. There was no service that connects to the internet running on the phone except for the malware “com.security.patch” and after 15 minutes it had transmitted almost 1 mb of data – that’s 96 MB in 24 hours!
Then we opened a webpage that used 0.83 mb and the malware doubled that amount of data right away. So data usage could get very expensive for mobile Internet users. And of course all browsing is going through some proxy server.
The main address that the malware is connecting to is “172.16.1.5″ which is a private IP address. This appears to be the P2P service of the malware. By sniffing the packages from “172.16.1.5″ we saw lots of different addresses.
As a result of the encryption we can only speculate as to the purpose of the malware. It seems likely that it could steal device and user data and, as with last year’s, may be part of some Android botnet.