Day: December 22, 2011

Intro: What is Android.Arspam?

Android.Arspam is a new Android malware threat that emerged some days ago and uses a trojanised version of a Islamic compass application to distribute political propaganda links. This malware represent the first stage of politically-motivated hacking (hacktivism) on mobile platforms.

Analysis of the Application and Its Structure

The app requests the following permissions:

• android.permission.INTERNET
• android.permission.ACCESS_FINE_LOCATION
• android.permission.ACCESS_NETWORK_STATE
• android.permission.INTERNET
• android.permission.WRITE_EXTERNAL_STORAGE
• android.permission.READ_CONTACTS
• android.permission.CHANGE_WIFI_MULTICAST_STATE
• android.permission.CLEAR_APP_USER_DATA
• android.permission.BIND_INPUT_METHOD
• android.permission.WRITE_CONTACTS
• android.permission.CLEAR_APP_CACHE
• android.permission.AUTHENTICATE_ACCOUNTS
• android.permission.READ_PHONE_STATE
• android.permission.SET_PREFERRED_APPLICATIONS
• android.permission.INTERNAL_SYSTEM_WINDOW
• android.permission.MANAGE_ACCOUNTS
• android.permission.PERSISTENT_ACTIVITY
• android.permission.FLASHLIGHT
• android.permission.ACCESS_NETWORK_STATE
• android.permission.ACCESS_MOCK_LOCATION
• android.permission.SEND_SMS
• android.permission.HARDWARE_TEST
• android.permission.ACCESS_CHECKIN_PROPERTIES
• android.permission.DISABLE_KEYGUARD
• android.permission.READ_SYNC_STATS
• android.permission.READ_INPUT_STATE
• android.permission.EXPAND_STATUS_BAR
• android.permission.BLUETOOTH
• android.permission.BIND_APPWIDGET
• android.permission.ACCESS_LOCATION_EXTRA_COMMANDS
• android.permission.BROADCAST_SMS
• android.permission.DIAGNOSTIC
• android.permission.BLUETOOTH_ADMIN
• android.permission.DEVICE_POWER
• android.permission.CHANGE_CONFIGURATION
• android.permission.DELETE_PACKAGES
• android.permission.BROADCAST_WAP_PUSH
• android.permission.REBOOT
• android.permission.WRITE_SMS
• android.permission.ACCESS_WIFI_STATE
• android.permission.ACCESS_COARSE_LOCATION
• android.permission.STATUS_BAR
• android.permission.MOUNT_UNMOUNT_FILESYSTEMS
• android.permission.GLOBAL_SEARCH
• android.permission.READ_SMS
• android.permission.CONTROL_LOCATION_UPDATES
• android.permission.MANAGE_APP_TOKENS
• android.permission.DELETE_CACHE_FILES
• android.permission.BATTERY_STATS
• android.permission.READ_SYNC_SETTINGS
• android.permission.SET_TIME_ZONE
• com.android.browser.permission.READ_HISTORY_BOOKMARKS
• android.permission.MOUNT_FORMAT_FILESYSTEMS
• android.permission.SIGNAL_PERSISTENT_PROCESSES
• android.permission.MASTER_CLEAR
• android.permission.READ_LOGS
• android.permission.BRICK
• android.permission.SET_ACTIVITY_WATCHER
• android.permission.RECEIVE_SMS
• android.permission.GET_ACCOUNTS
• android.permission.CALL_PHONE
• android.permission.READ_CONTACTS
• android.permission.RESTART_PACKAGES
• android.permission.READ_CALENDAR
• android.permission.RECEIVE_BOOT_COMPLETED
• android.permission.CAMERA
• android.permission.ACCESS_FINE_LOCATION
• android.permission.SUBSCRIBED_FEEDS_READ
• android.permission.WAKE_LOCK
• android.permission.RECORD_AUDIO
• android.permission.INSTALL_PACKAGES
• android.permission.INJECT_EVENTS
• android.permission.RECEIVE_WAP_PUSH
• android.permission.USE_CREDENTIALS
• android.permission.ACCOUNT_MANAGER
• android.permission.SET_ALWAYS_FINISH
• android.permission.RECEIVE_MMS
• android.permission.WRITE_SECURE_SETTINGS
• android.permission.MODIFY_AUDIO_SETTINGS
• android.permission.WRITE_CALENDAR
• android.permission.WRITE_SYNC_SETTINGS
• android.permission.INSTALL_LOCATION_PROVIDER
• android.permission.SYSTEM_ALERT_WINDOW
• android.permission.MODIFY_PHONE_STATE
• android.permission.WRITE_SETTINGS
• android.permission.INTERNET
• android.permission.ACCESS_SURFACE_FLINGER
• android.permission.CHANGE_NETWORK_STATE
• android.permission.CALL_PRIVILEGED
• android.permission.CHANGE_COMPONENT_ENABLED_STATE
• android.permission.DUMP
• android.permission.SET_WALLPAPER
• android.permission.GET_TASKS
• android.permission.WRITE_EXTERNAL_STORAGE
• android.permission.PROCESS_OUTGOING_CALLS
• android.permission.WRITE_OWNER_DATA
• android.permission.WRITE_GSERVICES
• android.permission.SET_WALLPAPER_HINTS
• android.permission.BROADCAST_STICKY
• android.permission.READ_FRAME_BUFFER
• android.permission.GET_PACKAGE_SIZE
• android.permission.FORCE_BACK
• android.permission.UPDATE_DEVICE_STATS
• android.permission.WRITE_APN_SETTINGS
• android.permission.BROADCAST_PACKAGE_REMOVED
• android.permission.SET_ANIMATION_SCALE
• android.permission.SET_ORIENTATION
• android.permission.SET_DEBUG_APP
• android.permission.FACTORY_TEST
• android.permission.REORDER_TASKS
• android.permission.SET_PROCESS_LIMIT
• android.permission.READ_OWNER_DATA
• android.permission.CHANGE_WIFI_STATE
• android.permission.VIBRATE
• android.permission.SUBSCRIBED_FEEDS_WRITE
• android.permission.RECEIVE_BOOT_COMPLETED

When the app has been installed successfully, the icon of the original app shows up in the dashboard. The UI and functionality have also been duplicated from the original app.

The malicious part of this application consists of the following two main classes which will be analyzed in detail afterwards:

• arRabi
• alArabiyyah

Analysis of arRabi

This class checks if the boot-process of the smartphone has completed and starts the malicious alArabiyyah service afterwards:

if ("android.intent.action.BOOT_COMPLETED".equals(paramIntent.getAction()){
   paramContext.startService(new Intent(paramContext, alArabiyyah.class));
}

Analysis of alArabiyyah

This application starts a service called alArabiyyah, which sends an SMS to every contact in the address book with a link to one of the following 18 forum sites in the message:

• http://www.dhofaralaezz.com/vb/showthread.php?t=4453
• http://www.i7sastok.com/vb/showthread.php?t=6930
• http://www.dmahgareb.com/vb/showthread.php?p=6606
• http://mafia.clubme.net/t2139-topic
• http://www.4pal.net/vb/showthread.php?t=40752
• http://www.howwari.com/vb/showthread.php?t=28495
• http://forum.te3p.com/464619.html
• http://www.htoof.com/vb/t187394.html
• http://vb.roooo3.com/showthread.php?t=174074
• http://www.alsa7ab.com/vb/showthread.php?t=4746
• http://www.riyadhmoon.com/vb/showthread.php?p=4548287
• http://forum.althuibi.com/showthread.php?p=137646
• http://www.2wx2.com/vb/showthread.php?p=43548
• http://www.mdmak.com/vb/showpost.php?p=500795&postcount=1
• http://www.too-8.com/vb/showthread.php?s=&threadid=7058
• http://www.3z1z.com/vb/showthread.php?t=2910
• http://www.w32w.com/vb/showpost.php?p=506831&postcount=1
• http://forum.65man.com/65man33611.html

Additionally, if the inserted SIM is from Bahrain, the application attempts to download a PDF file of the Bahrain Independent Commission of Inquiry (see the following code-snipet).

if (((TelephonyManager)getSystemService("phone")).getSimCountryIso() == "BH"){
   URL localURL = new URL("http://www.alwasatnews.com/data/2011/3382/BICIreportAR.pdf");
   HttpURLConnection localHttpURLConnection = (HttpURLConnection)localURL.openConnection();
   localHttpURLConnection.setRequestMethod("GET");
   localHttpURLConnection.setDoOutput(true);
   localHttpURLConnection.connect();
   File localFile1 = Environment.getExternalStorageDirectory();
   File localFile2 = new File(localFile1, "BICIreportAR.pdf");
   localFileOutputStream = new FileOutputStream(localFile2);
   localFile2.toString();
   localInputStream = localHttpURLConnection.getInputStream();
   localHttpURLConnection.getContentLength();
   arrayOfByte = new byte[1024];
}

Sample Information:

sha256:
1d22924bbe5dce7696e18d880482b63ce19ca0746f8671aaec865cce143f6e6f

md5:
e7584031896cb9485d487c355ba5e545

Mobile-Sandbox Report