Do I have Malwarebytes or a tech support scam?

Malware uses Google Talk to make malicious phone calls

We found a new piece of mobile malware, Android/Trojan.Pawost, that’s using Google Talk to make malicious calls.

As soon as the malicious app is opened, a blank Google Talk icon pops up in the notifications of the mobile device.

Pawost

Wait a couple of minutes, and all of a sudden your mobile device will make an unwarranted outgoing call to a number with an area code of 259.

Pawost_Call

The area code 259 is unassigned to any region in the United States and considered to be invalid.

It is also an unassigned area code for the country from which Pawost originates, China. According to computerhope.com, an incoming call from an unassigned area code means the phone number was likely caller ID spoofed; a trick often used by telemarketers/scammers to hide the originating phone number.

An outgoing call to an unassigned phone number is a little more unusual.

When the outgoing phone call is placed, Pawost puts the mobile device into a partial wake lock; the CPU will still be running, but the screen and keyboard back light are turned off.  This hides the presence of the outgoing call being made.

As long as the malicious app is running, it will continue to make calls until you force the app to stop or uninstall it. The Google Talk notification won’t go away until this is done as well.

Pawost_CallLog

On top of making malicious outgoing calls, Pawost also gathers personal information such as IMSI , IMEI, phone number, CCID which is used to operate USB connected Credit Card readers, phone version, other apps installed on the device, and other information.

Once the information is gathered, Pawost encrypts it using its own special algorithm before sending it off to a remote site.

Pawost_PCAP

Some other capabilities of Pawost is sending SMS messages and blocking incoming SMS messages, although these behaviors not observed during research.

The whole time, Pawost masquerades as a simple stopwatch app.

Pawost_App

While researching Pawost, I used an Android emulator which does not have the capability of making outgoing calls. To see if I could figure out who or what was on the other end, I used Google Voice to call the offending phone numbers.  

I used both the country code for the United States (+1) and the country code for China (+86); as mentioned earlier this is the originating country of the malware. What I found was that many of the phone numbers were invalid using +1, but worked with +86. This leads me to believe the malware is specific to Chinese users.  

Even though the phone numbers worked with +86,  I still only got a busy line with every number I tried.

Although it is not clear who or what is being called, the thought of your mobile device calling anyone without your permission is pretty scary. 

Uninstalling the malicious app will fix the issue, but it may be a challenge to find the offending app on your device. 

This is especially true if you have a long list of apps in your downloaded apps list.  Using a free mobile malware scanner such as Malwarebytes Anti-Malware Mobile will make this process a lot easier.

When installing any app, always be aware of the permissions being granted before accepting the install.  In this case, a stop watch app shouldn’t have a long list of permissions like calling, receiving/sending SMS messages, and other permissions way out of scope of it’s functionality.

ABOUT THE AUTHOR

Nathan Collier

Full time mobile malware researcher, part time endurance athlete and world traveler. As nerdy about traveling as he is about mobile malware.