Security Alert: New Rogue App RogueLemon Found in Alternative Chinese Android Markets

By Xuxian Jiang, Associate Professor, Department of Computer Science, NC State University

Nowadays, smartphone users in China tend to subscribe the value-added service such as buying ringtones and eBooks by simply sending SMS messages to particular service provider's number (i.e. SP number). Unfortunately, the convenience also leads to potential SMS fraud for hidden/unwanted charges, causing financial loss to users. In order to mitigate this problem, there is an official policy (enforced in China) that requires user-confirmation for the subscribed value-added service. In essence, the policy requires service providers to send the ordering information to users for them to confirm the subscription. Only after users have confirmed the subscription, service providers may start billing for the value-added services. As a result, the typical process for a user to subscribe to a particular mobile service involves three steps:

We have earlier detected a number of rogue apps (named RogueSPPush) which violate this policy. This week, my research team, in collaboration with NQ Mobile, identified an additional set of rogue apps which similarly violate this policy. One difference however is that instead of hard coding the content and destination number of confirming (SMS) messages, it retrieves the content and destination number from a remote (C&C) server. In addition, presumably with the intention to bypass the detection by existing mobile anti-virus software, the destination number(s) are received in the form of being encrypted. RogueLemon has the decryption code in place to uncover the original destination number for automatic confirmation.

How it works

RogueLemon registers a SMS receiver in the app's manifest file with a high priority (i.e., 99999). This can ensure that its receiver will be notified to handle incoming SMS messages before other receivers (with lower priorities).

When receiving the new SMS message, RogueLemon retrieves the originating address and its content from the message. Then it will check whether this message is from the service provider with the information of the subscribed value-added service, which needs to be confirmed by the the user. If so, instead of notifying users about this new incoming SMS message, it will hide this message to prevent user from knowing about it. At the same time, RogueLemon connects to a remote server with the originating address and content of the received SMS message and retrieves the response from remote server. According to our analysis, this response contains the (encrypted) phone number and the (plain text) content of SMS message. Then this plain text SMS message will be sent to the decrypted phone number to finish the subscription of the value-added service in the background without user's awareness. The following figure shows this process.


We found these RogueLemon apps in unofficial Chinese Android markets. To the best our knowledge, we do not find the threat in the official Android Market. For mitigation, please follow basic, common-sense guidelines for smartphone security. For example,


Last modified: October 19, 2011