While sorting the recent mobile malware collections, I stumbled on a sample which was submitted today. The sample has neither any new break-through payload nor any advanced functionality. However, what makes this interesting is the fact that it has included features seen in couple of different malware families.
So, What does it do?
It is a typical SMS Trojan that sends SMS to premium message centres. In the process, it makes sure that the messages are sent only once during the first time the code is run. This feature is taken from the very old “FakePlayer” family.
Fig.1: The sample call gap
Fig.1 shows the call graph of the activity. It can be observed that a SQLite DB has been used as a marker to trigger the SMS messages. This was seen in the older fakeplayer family. Even the helper method name “scanwe()” (“canwe()”) and the marker value “was” remain the same.
Another feature of this sample is to intercept the incoming SMS messages and abort the messages originating from any of the numbers in the block list. This is done to prevent the user getting alarmed about a possible confirmation message originating from the message centres. This functionality has been seen across many earlier families and the code block looks similar to the one witnessed in the “Foncy” family.
Fig.2: SMS being sent to the premium rate numbers
To block any response from these message centres, the sample registers a Receiver with high priority.
Fig.3: Registered SMS receiver
This allows the sample to intercept every incoming message and if the incoming message is originated from any of the listed target numbers, the SMS message will be aborted from reaching the victim's inbox.
Fig.4: The SMS receiver and blocker in action
It can be observed from fig.4 that out of the six messages generated from different source numbers, only two message reach the victim's device (messages originating from 8585, 5556). The rest of the messages were blocked by the Trojan receiver as they were originating from the number which is maintained in the block list of the Trojan.
Again, this exact behaviour and the code pattern have been seen in many older families with the recent one being the Foncy family.
It is very common in Windows malware landscape to see a new variant being constructed using the code blocks taken from multiple other Malware samples. If this trend continues to grow in Mobile platform as well, it would make an interesting case study and analysis of multiple family ties in a single variant in the future.