This is a recent malware that targets the Android platform. This Trojan like many typical social engineering Trojans, comes bundled with a game. The credit for discovering it goes to Prof.Xuxian Jiang.
Since we have published static analysis of such Trojans in our earlier blogs, this blog covers the dynamic analysis of the Trojan in a controlled environment. Please note that this blog post will only demonstrate one of the malicious activities the sample does and does not intend to demonstrate all the activities of the malware.
As part of one of the malicious activities, the malware logs all outgoing and incoming calls and for incoming calls it logs the call duration as well. To record this malicious activity, we need to have two mobile phone emulators running with the ability to call each other.
Fig.1: Two Android phone emulators running in a controlled environment
The emulators are assigned the following mobile numbers:
Victim mobile : 15555215554 [LabMobi]
Friend of victim : 15555215556 [LabMobi2]
Once the environment is ready, we will install the sample in the victim mobile emulator.
Fig.2 illustrates the game bundled with Trojan installed in the emulator device.
Now, we shall trigger the payload by making a phone call from the infected mobile. In this experiment, we will dial the number 15555215556 which is assigned to the other emulator.
Before doing that we shall look around the data files created by the application to observe the differences recorded after triggering the payload.
Fig.3 shows the contents of the data files of the application running in victim's device.
Fig.3: Files before triggering the payload.
Fig.4 is the screenshot of a call being made from the victim's mobile to his friends number.
Fig.4: Making a phone call from victim phone
After few seconds, we can terminate the call and make a call from the friend's number to victim's mobile (to trigger the incoming call alert event).
Now, we shall look at the data files of the application as illustrated in Fig.5
Fig.5:The data files after triggering the payload
You could see that a new file “Zjphonecall.txt” is created. Here is the content of the file.
Fig.6: Contents of the newly created “Zjphonecall.txt” file.
You can see that the file contains logs of the incoming and outgoing calls, the timestamps of the calls made and received as well as the duration of the incoming calls.
We have already begun to see a steady growth in the number of social engineering based Trojans for the mobile platform and we believe that only educating the users along with adequate software protection is the key to be safer from such malware threats.