Chinese police have arrested a 19-year-old software engineering student on suspicion of releasing an information-stealing Android virus into the wild which is thought to have infected at least 100,000 users.
The “XX??” or “Heart App” malware is unusual in that it behaves like a traditional virus, spreading by sending itself to the victim’s first 99 address book contacts, according to Sophos’ APAC head of technology, Paul Ducklin.
It apparently arrives via an SMS complete with malicious download link, clicking on which will launch the malware, assuming the user has enabled the “allow installation of apps from unknown sources” option.
Many Chinese users do this given that Google Play is not available in the Middle Kingdom so most use third party app stores to get their content.
The virus APK then calls home by sending an SMS to the malware author, while in the foreground presenting the user with a bogus registration/log-in screen requesting username, password and resident ID number.
All of this data is sent via SMS to the malware author and then the user is asked via a pop-up to install a secondary component – a “Resource Pack”, which is actually malware turning the device into a bot, according to Ducklin.
This enables the attacker to read the phone’s SMS messages, send its own SMSes from the phone and even insert fake ones into the inbox.
Luckily for the 100,000+ users already infected, the author of the malware was arrested just 17 hours after the virus first landed.
Identified as a 19-year-old student surnamed “Li”, he’s said to have written the program while on holiday in Shenzhen only to prove his prowess as a coder – so more of a script kiddie than a cybercriminal.
Still, over 20 million messages sent by the virus are said to have been blocked already by Chinese mobile operators, proving just how potent the attack was.