0

The Case of Spitmo, Analysis with Andbug and Profiler.

Tags: Spitmo | AndroidOS/Spitmo | Mobile Malware | Android Profiler

Dinesh Venkatesan

13/09/2011

A few weeks ago, we have witnessed Zitmo arriving to Android landscape http://totaldefense.com/securityblog/2011/08/29/ZBot-Targeting-Android-Users.aspx. As it was widely predicted earlier, fellow researchers at Trusteer discovered that now Spitmo emerges for the Android platform. We, like the worldwide research community, have taken the the growth of Android malware very seriously.

Although the Spitmo sample analyzed is not too complex we took the opportunity to try out some new analysis techniques on this threat. This blog is about explaining the results of these new analysis techniques.

One of the core payloads of this sample is to intercept the incoming messages and send the content to a remote server (which is similar to what we have seen in the case of Zbot for Android as well).

Let us analyse this behaviour with a few nice tools. In order to trigger this payload, we use the regular setup of two mobile emulators running in a virtual machine with simulated internet connectivity.

The mobile emulator LabMobiOne is infected with the malware sample and sending an SMS from another device (LabMobiTwo) makes the malware in LabMobiOne to intercept the SMS and send it to remote server.

thecaseofspitmo_1.jpg
[Fig.1: Sending an SMS to infected device triggers the connection]

So time to use some nice open source analysis techniques! We will use very elegant yet powerful Andbug to quiz this piece of malware. First, we will investigate the loaded classes (modules) in the target and hook the java.net.URL as shown in the fig.2.

thecaseofspitmo_2.jpg
[Fig.2: Browsing the loaded “modules” and hooking the URL class]

Now, we will trigger the payload again by sending one more message to the infected device. This time around we can control the flow of the execution since we have established hooks as shown in fig.3

thecaseofspitmo_3.jpg
[Fig.3: Breakpoint hit while initializing the URL object]

Now, we can navigate the state of the malware very conveniently. In Object oriented terms a state is represented by the value of the instance fields.

Fig.4 shows the state of the malware sample frozen at a given point in time.

thecaseofspitmo_4.jpg
[Fig.4: Navigating the states frozen at a moment]

You can also observe some profiler information about the sequence of calls being made to accomplish the payload in Fig. 5.

thecaseofspitmo_5.jpg
[Fig.5: Profiled data about API call sequence]

As mentioned earlier, this sample is straight forward and proper user education is the most viable solution for such social engineered Trojans. As always we suggest users to exercise basic security principles and use a mobile security suite while operating your smartphone in the wild.