In this week, my research team, in collaboration with NQ Mobile, has uncovered a new malware -- Fjcon, which affects Android devices with a custom ROM. To the best of our knowledge, it is the second malware of this kind. Similar to its predecessor, i.e., jSMSHider, Fjcon is signed with a publicly available key that is distributed in the Android Open Source Project (AOSP). Possilby due to the convenience, developers or third-party groups may simply use the key in AOSP to sign custom ROMs, i.e., custom built versions of Android. Consequently, if installed into phones with these ROMs, this malware can obtain permissions that are typically not granted to normal apps. Examples include INSTALL_PACKAGES and DELETE_PACKAGES, which are used to install and uninstall additional packages in the background without user intervention.
The Fjcon malware has the "phone-home" behavior and listens to commands from a remote command and control (C&C) server, through which it can selectively download a few packages and install them. Also, it can be configured to send or block certain SMS messages (e.g., to or from premium-rated numbers). This functionality can be used to subscribe to certain premium services and prevent users from receiving subsequent billing-related messages.A detailed technical analysis and possible mitigation can be found here.
Last modified: November 23rd, 2011