Intro: What is Android.Arspam?
Android.Arspam is a new Android malware threat that emerged some days ago and uses a trojanised version of a Islamic compass application to distribute political propaganda links. This malware represent the first stage of politically-motivated hacking (hacktivism) on mobile platforms.
Analysis of the Application and Its Structure
The app requests the following permissions:
- android.permission.INTERNET
- android.permission.ACCESS_FINE_LOCATION
- android.permission.ACCESS_NETWORK_STATE
- android.permission.INTERNET
- android.permission.WRITE_EXTERNAL_STORAGE
- android.permission.READ_CONTACTS
- android.permission.CHANGE_WIFI_MULTICAST_STATE
- android.permission.CLEAR_APP_USER_DATA
- android.permission.BIND_INPUT_METHOD
- android.permission.WRITE_CONTACTS
- android.permission.CLEAR_APP_CACHE
- android.permission.AUTHENTICATE_ACCOUNTS
- android.permission.READ_PHONE_STATE
- android.permission.SET_PREFERRED_APPLICATIONS
- android.permission.INTERNAL_SYSTEM_WINDOW
- android.permission.MANAGE_ACCOUNTS
- android.permission.PERSISTENT_ACTIVITY
- android.permission.FLASHLIGHT
- android.permission.ACCESS_NETWORK_STATE
- android.permission.ACCESS_MOCK_LOCATION
- android.permission.SEND_SMS
- android.permission.HARDWARE_TEST
- android.permission.ACCESS_CHECKIN_PROPERTIES
- android.permission.DISABLE_KEYGUARD
- android.permission.READ_SYNC_STATS
- android.permission.READ_INPUT_STATE
- android.permission.EXPAND_STATUS_BAR
- android.permission.BLUETOOTH
- android.permission.BIND_APPWIDGET
- android.permission.ACCESS_LOCATION_EXTRA_COMMANDS
- android.permission.BROADCAST_SMS
- android.permission.DIAGNOSTIC
- android.permission.BLUETOOTH_ADMIN
- android.permission.DEVICE_POWER
- android.permission.CHANGE_CONFIGURATION
- android.permission.DELETE_PACKAGES
- android.permission.BROADCAST_WAP_PUSH
- android.permission.REBOOT
- android.permission.WRITE_SMS
- android.permission.ACCESS_WIFI_STATE
- android.permission.ACCESS_COARSE_LOCATION
- android.permission.STATUS_BAR
- android.permission.MOUNT_UNMOUNT_FILESYSTEMS
- android.permission.GLOBAL_SEARCH
- android.permission.READ_SMS
- android.permission.CONTROL_LOCATION_UPDATES
- android.permission.MANAGE_APP_TOKENS
- android.permission.DELETE_CACHE_FILES
- android.permission.BATTERY_STATS
- android.permission.READ_SYNC_SETTINGS
- android.permission.SET_TIME_ZONE
- com.android.browser.permission.READ_HISTORY_BOOKMARKS
- android.permission.MOUNT_FORMAT_FILESYSTEMS
- android.permission.SIGNAL_PERSISTENT_PROCESSES
- android.permission.MASTER_CLEAR
- android.permission.READ_LOGS
- android.permission.BRICK
- android.permission.SET_ACTIVITY_WATCHER
- android.permission.RECEIVE_SMS
- android.permission.GET_ACCOUNTS
- android.permission.CALL_PHONE
- android.permission.READ_CONTACTS
- android.permission.RESTART_PACKAGES
- android.permission.READ_CALENDAR
- android.permission.RECEIVE_BOOT_COMPLETED
- android.permission.CAMERA
- android.permission.ACCESS_FINE_LOCATION
- android.permission.SUBSCRIBED_FEEDS_READ
- android.permission.WAKE_LOCK
- android.permission.RECORD_AUDIO
- android.permission.INSTALL_PACKAGES
- android.permission.INJECT_EVENTS
- android.permission.RECEIVE_WAP_PUSH
- android.permission.USE_CREDENTIALS
- android.permission.ACCOUNT_MANAGER
- android.permission.SET_ALWAYS_FINISH
- android.permission.RECEIVE_MMS
- android.permission.WRITE_SECURE_SETTINGS
- android.permission.MODIFY_AUDIO_SETTINGS
- android.permission.WRITE_CALENDAR
- android.permission.WRITE_SYNC_SETTINGS
- android.permission.INSTALL_LOCATION_PROVIDER
- android.permission.SYSTEM_ALERT_WINDOW
- android.permission.MODIFY_PHONE_STATE
- android.permission.WRITE_SETTINGS
- android.permission.INTERNET
- android.permission.ACCESS_SURFACE_FLINGER
- android.permission.CHANGE_NETWORK_STATE
- android.permission.CALL_PRIVILEGED
- android.permission.CHANGE_COMPONENT_ENABLED_STATE
- android.permission.DUMP
- android.permission.SET_WALLPAPER
- android.permission.GET_TASKS
- android.permission.WRITE_EXTERNAL_STORAGE
- android.permission.PROCESS_OUTGOING_CALLS
- android.permission.WRITE_OWNER_DATA
- android.permission.WRITE_GSERVICES
- android.permission.SET_WALLPAPER_HINTS
- android.permission.BROADCAST_STICKY
- android.permission.READ_FRAME_BUFFER
- android.permission.GET_PACKAGE_SIZE
- android.permission.FORCE_BACK
- android.permission.UPDATE_DEVICE_STATS
- android.permission.WRITE_APN_SETTINGS
- android.permission.BROADCAST_PACKAGE_REMOVED
- android.permission.SET_ANIMATION_SCALE
- android.permission.SET_ORIENTATION
- android.permission.SET_DEBUG_APP
- android.permission.FACTORY_TEST
- android.permission.REORDER_TASKS
- android.permission.SET_PROCESS_LIMIT
- android.permission.READ_OWNER_DATA
- android.permission.CHANGE_WIFI_STATE
- android.permission.VIBRATE
- android.permission.SUBSCRIBED_FEEDS_WRITE
- android.permission.RECEIVE_BOOT_COMPLETED
When the app has been installed successfully, the icon of the original app shows up in the dashboard. The UI and functionality have also been duplicated from the original app.
The malicious part of this application consists of the following two main classes which will be analyzed in detail afterwards:
- arRabi
- alArabiyyah
Analysis of arRabi
This class checks if the boot-process of the smartphone has completed and starts the malicious alArabiyyah service afterwards:
if ("android.intent.action.BOOT_COMPLETED".equals(paramIntent.getAction()){ paramContext.startService(new Intent(paramContext, alArabiyyah.class)); }
Analysis of alArabiyyah
This application starts a service called alArabiyyah, which sends an SMS to every contact in the address book with a link to one of the following 18 forum sites in the message:
- http://www.dhofaralaezz.com/vb/showthread.php?t=4453
- http://www.i7sastok.com/vb/showthread.php?t=6930
- http://www.dmahgareb.com/vb/showthread.php?p=6606
- http://mafia.clubme.net/t2139-topic
- http://www.4pal.net/vb/showthread.php?t=40752
- http://www.howwari.com/vb/showthread.php?t=28495
- http://forum.te3p.com/464619.html
- http://www.htoof.com/vb/t187394.html
- http://vb.roooo3.com/showthread.php?t=174074
- http://www.alsa7ab.com/vb/showthread.php?t=4746
- http://www.riyadhmoon.com/vb/showthread.php?p=4548287
- http://forum.althuibi.com/showthread.php?p=137646
- http://www.2wx2.com/vb/showthread.php?p=43548
- http://www.mdmak.com/vb/showpost.php?p=500795&postcount=1
- http://www.too-8.com/vb/showthread.php?s=&threadid=7058
- http://www.3z1z.com/vb/showthread.php?t=2910
- http://www.w32w.com/vb/showpost.php?p=506831&postcount=1
- http://forum.65man.com/65man33611.html
Additionally, if the inserted SIM is from Bahrain, the application attempts to download a PDF file of the Bahrain Independent Commission of Inquiry (see the following code-snipet).
if (((TelephonyManager)getSystemService("phone")).getSimCountryIso() == "BH"){ URL localURL = new URL("http://www.alwasatnews.com/data/2011/3382/BICIreportAR.pdf"); HttpURLConnection localHttpURLConnection = (HttpURLConnection)localURL.openConnection(); localHttpURLConnection.setRequestMethod("GET"); localHttpURLConnection.setDoOutput(true); localHttpURLConnection.connect(); File localFile1 = Environment.getExternalStorageDirectory(); File localFile2 = new File(localFile1, "BICIreportAR.pdf"); localFileOutputStream = new FileOutputStream(localFile2); localFile2.toString(); localInputStream = localHttpURLConnection.getInputStream(); localHttpURLConnection.getContentLength(); arrayOfByte = new byte[1024]; }
Sample Information:
sha256:
1d22924bbe5dce7696e18d880482b63ce19ca0746f8671aaec865cce143f6e6f
md5:
e7584031896cb9485d487c355ba5e545
2 Replies to “Detailed Analysis of Android.Arspam”