Trojanized Android app intercepts messages to hide costly subscriptions

Another trojanized Android app that monitors received text messages for keywords has been uncovered by Trend Micro, and this time, the feature is not used for spying but to allow the app to subscribe the user to a premium service number.

Once again, this malware is targeting Chinese users and it can be still found on some Chinese third-party app stores.

As with the previous one, the app installs a receiver that executes every time the infected device receives a text message.

“It screens the text messages infected devices receive for Chinese keywords that translate to ‘reply random content’ and to ‘supermarket,’ explain the researchers. “Once found, the malware replies with ‘Y’ to the messages.”

Now that the user is subscribed to the premium services offered, it waits for the confirmation messages from the providers.

Any message containing keywords such as “love comes”, “love is here” and “supermarket”, or coming from phones with numbers beginning with “10658” (premium rate number) and “10086” (the number of China’s mobile service) are intercepted and deleted, making sure that the user is kept in the dark about the subscriptions.