Earlier yesterday, a few SMS Trojans were found in Android Market and subsequently removed from the market place. In this blog post, we will be demonstrating some of the interesting behaviours uncovered through dynamic analysis.
What does it do?
The objective of this Trojan is to send SMS to premium numbers. The destination number is chosen based on the country code information obtained from the victim's SIM. In order to avoid the infected victim getting alerted by any response messages, the Trojan also registers an SMS receiver that intercepts the messages coming from the specific numbers and interrupts them from reaching the victim's inbox.
The Trojan also downloads the original game (~43MB!!) Installer from a hosted website and subsequently may install it on the victim's device.
How does it do this?
The Sample disguises itself as a free version of a popular game. As usual, during installation, it must seek the permissions needed to perform the malicious actions. Note the "Services that cost you money - send SMS Message permission highlighted below. These permissions need to be authorized by the victim for the Trojan to install. So be sure to review permissions with every install and question those that don't make sense.
Fig.1: Permissions that must be granted by the victim for the Trojan to get installed.
Once the user clicks on the "Install" button, the Trojan gets installed in the device. It then fetches the country information from the victim's SIM card. This task is accomplished by the invocation of getSimCountryIso() API of the TelephonyManager class.
Based on the country's iso code, the Trojan sends a message to specific to one of the 18 countries currently handled by it. Fig.2 shows the code snippet responsible for doing this.
Fig.2: Code snippet to trigger SMS based on country code
Another interesting functionality noticed in the sample is that it starts a huge download of 43 MB size from a hosted website. Fig.3 shows the snippets of code blocks that implements this logic.
Fig.3: code snippets part of the download logic
The download is also witnessed during dynamic analysis. Fig.4 shows the packets captured using wireshark.
Fig.4: TCP packet stream observed during dynamic analysis
The dynamic analysis is carried out inside the simulated environment. Hence the server response headers are different from the actual server.
Fig.5: download in progress
Also, the code of the Trojan package shows an SMS receiver component which is designed to abort any incoming SMS messages originating from the premium message centres. Fig. 6 shows these
Fig.6: Snippets of the code that aborts the incoming SMS from message centres
SMS Receiver in action:
Fig.7 shows the dynamic analysis demonstration of the SMS receiver blocking the SMS messages originating from the specific centres.
Fig.7: SMS receiver in action
Many of the code blocks found in this sample look similar to the recent Android family "Foncy". The major difference between the Foncy family and this sample is that this sample additionally downloads the game and tries to install the game in the victim's device.
Though there have been many questions about the trend of mobile malware being overblown, incidents like these give indication that the malware authors are viewing the mobile platform as a serious business opportunity. Mobile device sales will exceed that of PCs in 2011 so this trend makes perfect sense. . The best method to counter mobile threats is to only install software from the platform specific trusted store or market place. However in this instance the Trojans were downloaded from the Android Market Place. So it's important to also review the permissions requested upon install and leverage an up to date security software suite for your device.