The APK file URL (valid at time of publication) is: _NETWORK_STATEĭplug listens to the broadcast of following intents:.The Dplug malware requires many permission types including: The observed network communications include: URL The malware logs all communications between itself and the remote attack servers in the log.txt file which is saved in the hidden folder “/mnt/sdcard/Android/.system/.dplug/ASK/log.txt”.
Auto confirmation with extracted confirmation code This ad library also aggressively collects the phone’s unique identifiers and uploads the collected information to. In this Dplug malware sample, a mobile ad library from “” is downloaded from. The host app part performs the legitimate functions it claims. The user will sense nothing related to the service subscription until receiving the monthly bill.Īn overview of the reversed malware sample is shown in (Fig 1). All of the attack behaviors occur in the background. When the SMS confirmation message is intercepted, the malware will auto-reply the confirmation code to complete the service subscription. For services requiring SMS confirmation, the attacker will deliver the confirmation SMS schema to the malware. With the device information, the attacker can impersonate the victim device to subscribe premium services. After installation, the malware will fetch a phone number from attacker website and send the device’s IMEI and IMSI number to this phone number via SMS messages. This is most likely accomplished through the in-app market of the TTpod Chinese music player app, found on Google Play.
In a typical attack scenario, the attacker first lures the user to install the Dplug malware on the Android device. Besides premium service subscription, the Dplug malware can also push ads to the screen and send customized notifications which are downloaded from remote attack website. Another interesting feature is that it provides an auto-confirmation function to premium services that require subscription and SMS confirmation. Further, it blocks incoming SMS messages from two specific premium service numbers belonging to ChinaMobile: 100889955. It then intercepts all incoming SMS and saves the intercepted SMS messages in a hidden folder on the device’s storage card. After installation Dplug will send the device’s IMEI and IMSI number to a designated phone number through SMS. The package name of this detected malware sample is _mc.mactivity, and its package signer is IadPush. Dplug uses SMS to hijack the device’s unique identifiers, subscribe to premium services and hide this behavior from the user by blocking the premium service notifications.īy reviewing its behaviors in our WildFire APK sandbox, we observed the following features of this malware. This malware poses as a system tool app for memory cleaning. In July 2013, WildFire detected a new kind of Android Package File (APK) malware named Dplug.