Armor.Worm.Samsapo

Category: Worm

  • This is a threat.
  • Can cost money.
  • May be a privacy threat.
  • Potentially unwanted behavior.

Summary

Samsapo is considered one of the first worm-style malware to be discovered for the Android platform. This threat is capable of sending SMS messages with a malicious link to all device contacts, downloading and installing other potentially malicious applications, stealing personal information, and commiting premium service fraud.

This threat attempts to disguise itself as a system utility, which is a very common feature of Android malware. When the applications is installed it does not place an icon in the main application menu and does not have a GUI (graphic user interface). Samsapo only appears in the settings/applications/ list of the infected device.

Samsapo’s ability to spread is innovative for Android malware, though not the first time we have seen Android malware attempting to spread. The Samsapo Worm will send an SMS message to all deice contacts with text in Russian that translates to “Is this your photo?” The SMS message also contains a link that will download the malicious Samsapo APK (application file) to the new victim’s device.

While this threat’s ability to spread is one of its more advanced features, it is not the most dangerous. Samsapo can download and install additional malware to the infected device. Additional malware can have an endless list of malicious functions, from spyware, to banking Trojans, rootkits.

In addition to sending malicious text messages to device contacts this malware may also steal text messages and phone numbers from the device and upload them to a remote command and control server. Samsapo can block phone calls and potentially cause the victim to be incredibly late everyday by modifying the alarm settings.

Finally, Samsapo is capable of committing premium service fraud. The malware will send SMS messages to premium SMS services that will incur additional charges to the mobile phone bill. These charges are often recurrent and will continue until the victim contacts their mobile service provider to cancel the charges.

Additional Details

Package Name:
com.android.tools.system v1.0

First Detected:
April 2014

File Type:
APK (Android application package file)

SHA256:
N/A

Permissions:
RECEIVE _ BOOT _ COMPLETED
RECEIVE _ SMS
SEND _ SMS
WRITE _ SMS
READ _ SMS
MODIFY _ PHONE _ STATE
CALL _ PHONE
READ _ PHONE _ STATE
WRITE _ CALL _ LOG
READ _ CALL _ LOG
WRITE _ EXTERNAL _ STORAGE
INTERNET
INSTALL _ PACKAGES
DELETE _ PACKAGES
READ _ CONTACTS

Repair Instructions

Users should be careful when downloading applications from third party Android markets.

Always review application permissions to make sure no unusual permissions are being requested.

Android users should only download applications from a trusted source.

We advise Android users to download and use antivirus software to keep their android device and personal information safe.

Armor for Android Uninstall:

  • Scan your device using Armor for Android
  • Click the Fix Now button
  • Select the threat from the scan results
  • Click the Uninstall button

Manual Uninstall:

  • Open the Android Menu
  • Go to Settings
  • Select Applications
  • Select Manage Applications
  • Select the infected application and click the Uninstall button

Android Malware Write-up By: James Green