Zscaler Blog

Get the latest Zscaler blog updates in your inbox

Security Research

From third-party Android store to SMS Trojan

May 01, 2019 - 7 min read

In lieu of downloading and installing apps from the official Android app store, users often turn to third-party stores. The reasons vary, from wanting a particular app that isn’t available on the official store to seeking cracked apps—versions that have been modified to disable certain features, such as copyright protections—of official Android apps. Recently, the ThreatLabZ research team came across one of these third-party app stores that seemed to be hosting Android games. The store, called “Smart Content Store,” portrays itself as an Android app store and uses names such as sexy.smartcontentstore[.]com and games.smartcontentstore[.]com.  

Fig 1: Third-party app store homepage


At first glance, the site appears to be an app store hosting Android games, but we were unable to download any apps. Clicking the Install option on any of the games, as seen in screenshot above, leads back to the same page.  

Upon further examination, we found many direct links to APKs being downloaded from these domains. The image below shows the direct downloads of these APKs.


Fig 2: Zscaler dashboard


These apps have different package names and certificates, but every app exhibits the same functionality. We have provided an analysis of one of the apps below. (A complete list of apps can be found in the IOC at the end of blog.)


App summary

APK Name: smartworld_-_WIN_-_500929091890143_-_.apk
Package name: vaya.bailecito.epore.saturda
Size: 2100203 bytes
MD5: 091E91A9ED7202CD44DC5E1C4B3DCC90

Technical details

As soon as the app is installed, it appears as a blank space. As shown in the screenshot below, the app icon and app name are missing. Upon clicking the space (the invisible icon) the app displays its first activity with two options: Smart World and Sexy World.  


Fig 3: Invisible app icon and the first activity


During the initial phase, the app sends several requests to hxxp://play4funclub[.]com/public/notification/is-active, but during our analysis, we just received 301-Moved Permanently in response. These requests can be seen in the screenshot below. 


Fig 4: Initial requests 


Upon clicking either of the two options shown above, Smart World or Sexy World, the app asks for Administrator privileges, stating "To view all the porn videos you need to update. Click to activate.” This message can be seen in the screenshot below (left image).


Fig 5: Admin privileges


As soon as the victim activates admin rights, a request is sent to another domain. Nothing happened as a result of this request, so we believe that it is simply an indication to the attacker whether the victim has activated admin rights or not. 


Fig 6: Request upon enabling admin rights


After a certain amount of time passes, the app starts sending requests to hxxp://app.in-spicy[.]com/scripts/app_sms_request_get_number.php with details about the victim's device and location. It sends the following information in its POST request:

  • Android version
  • Installation date
  • Version
  • Date (Date of request) 
  • Country code
  • Carrier 
  • Device ID

The screenshot below shows the request and response taking place between the compromised device and attacker:


Fig 7: Request and response related to the SMS message


The app acts according to the response received from the attacker’s domain. If the response contains "status":"OK", the app fetches the desired details from the response. In our case, it was a phone number and message body. Further, it sends an SMS message to that specific number and message body. This functionality is visible in the screenshot below where the response from the attacker is contained in paramJSONObject and is based on the response, sendTextMessage; this response initiates a routine that sends actual SMS messages.


Fig 8: Sending SMS functionality


During this phase of analysis, we observed several attempts to send SMS messages to different phone numbers with different text as the message body. This can result in high costs to the victim.

Some examples of the SMS messages can be seen in the table below:

Phone #Message Body
6768482371message:france athletes employed
6857215675message:experience iran yarn combines field
6768482371message:luther exercise queens
2347003300131message:hungary contributing task bird
6857215675message:boolean wisconsin criticism verification republic
2347003300131message:exchange audience nc medicaid
2347003300131message:ut controlled salt customized consider
6768482371message:legislative wayne brand hungarian
6768482371message:consulting gui contrary eclipse
79697530171message:boards tits difficulties
6768482371message:royalty relay mv
6768482371message:boards sie gabriel computer
6768482371message:mods html chronic
6768482371message:integer coleman monsters
6745596671message:capabilities labels addiction
6768482371message:checking upskirt football possibilities
6745596671message:academics actively matrix ga
2347003300131message:incidence quality mrs estimated default
6745590060message:estate mexican legal flour
6768482371message:cleared connectivity divx
2347003300131message:cafe activists our constantly
6745596671message:brush accepted role
6745596671message:plain weed senators reform framing
6745596671message:represents fig answers signup
6745596671message:animation failure lucas browser poetry
2347003300131message:biodiversity present solving herbal regulations
6857215675message:shakira wanna movie freight
6768482371message:shipping uzbekistan senators optimize basically
6857215675message:folks tamil cooper
6857215675message:picking maine shapes men wives


This app also has permission to view the victim’s contact list, which means the app can easily spread itself using those contacts. We also found other high-level permissions and we are analyzing the sample further to determine their functions and potential impact. We will update this report with any interesting findings.



The Zscaler Cloud Sandbox successfully flagged the sample as malicious based on indicators found in the sample, as shown in the report screenshot below.

Fig 9: Zscaler Cloud Sandbox


Zscaler advises Android users to download apps only from official app stores. Using third-party stores may lead to the installation of apps that have hidden, malicious intentions, as described in this case. We also advise users to keep the Unknown Sources option off at all times on your Android device. Keep this off will prevent any third-party app to directly get installed on the device. 





form submtited
Thank you for reading

Was this post useful?

dots pattern

Get the latest Zscaler blog updates in your inbox

By submitting the form, you are agreeing to our privacy policy.