Foncy is Dead, Long Live Mania

By Denis MaslennikovIn the middle of January 2012 Foncy was updated: it started to spread together with an IRC bot and a root exploit. But the end of the Foncy story was very close because in February two suspected authors of this malware were arrested in Paris: you can read the story here in French and here in English. Since then we haven’t found any new modifications of this piece of malware.

In the middle of January 2012 Foncy was updated: it started to spread together with an IRC bot and a root exploit. But the end of the Foncy story was very close because in February two suspected authors of this malware were arrested in Paris: you can read the story here in French and here in English. Since then we haven’t found any new modifications of this piece of malware.

So, Foncy is dead. And what is Mania? Mania is an SMS Trojan which currently only targets users of Android from France and its code is very similar to the code of the Foncy malware. The first sample of Mania (Trojan-SMS.AndroidOS.Mania) was found approximately at the same time when the Foncy IRC bot was discovered (during the first half of January). After that new variants of Mania appeared in February, March, April and May.

We haven’t found any traces of Mania on Android Market Google Play. It seems that it is spread via file sharing web sites as popular legitimate applications such as PhoneLocator Pro, BlackList Pro, Enhanced SMS and Caller ID, CoPilot Live Europe, Settings Profiles Full, Advanced Call Blocker and Kaspersky Mobile Security.

 

If a user launches one of these applications it will immediately try to send seven SMS messages to the French premium rate number 84242. The text of the message differs from variant to variant, but all in all there are three of them: MANIATEL and QUIZ.

The Mania malware will also emulate ‘license checking’ (in French or English), pretending to be a legitimate application:

 

With the help of the postDelayed method in the Handler public class, the malware will show a ‘license check failure’ after 90 seconds:

All malicious actions above are contained in the {application name}Acitivity.class file. But there is also aMachine.class file which contains functionality that is absolutely the same as it was in theSMSReceiver.class file in the Foncy Trojan: sending an SMS message to a French cell phone number with the text taken from a reply from the premium rate number 84242. We were able to find four different cell phone numbers (+336********).

The Mania Trojan is definitely related to Foncy. It is possible that it was created by the same authors. But they must have sold (or given) the code to other cybercriminal(s) because according to our data, Trojan-SMS.AndroidOS.Mania is still active.

Here’s the list of known malicious MD5s:

  • 039be4f296612be92a2f8592478459af
  • 15049a1be88207e9a97f6b2c9fe3519e
  • 17e1d38aecbaf139741ad9d714abc902
  • 7b18e639ff099a3f0f30200894f248ad
  • d15ac5dadbdc862f4e9f5ce2875ba91e
  • d76fff3bbf20445b9a2615585db4cceb
  • e9c426d0d8525e3e7f07edc12c0a0397
  • 8855f44ab53724cf212894a5dbe7e004

Suggested articles