Android/Wroba.I!tr

Analysis

Android/Wroba.I!tr is a piece of malware targeting Android mobile phones.
The malicious package comes disguised as a (poor) copy of the Google Play store application. However, it performs no legitimate function.
Instead in the background, it launches several services that look for specific Korean banking applications on the phone, leak banking credentials & Credit Card details and displays a notification to download and install fake updates for these applications.
The services also leak information such as the device's phone number and contact information via HTTP or email.
The malware also intercepts incoming SMS messages and can process certain SMS commands to update C&C address, email recipient information, and even send out a specific message via SMS to all contacts saved on the phone.

Technical Details

The main application is called "googl app stoy" and comes in the package "com.sdwiurse" However,

Fig1 : Application Icon
When launched, the application performs no function and the user sees a screen as seen in Fig2

Fig2 : Application main screen
In the background, the application decrypts a file present in the package assets called either "ds" or "ps". The file is decrypted using DES and the key is present hardcoded in the package.
The encrypted file is saved on the phone as /data/data/[pkg_name]/x.zip and the decrypted file as /data/data/[pkg_name]/x
This decrypted file is loaded using the DexFile.loadDex() function of the Android API. This file contains the crux of the malicious code.
Once loaded, the files x.zip and x are deleted.
The Main Activity requests for Device Administrator privileges when launched. Every time the application is launched, a check is performed and if not already activated, they are requested.
Additionally, it launches the following services in the background
uploadPhone : This service looks for the presence of some specific banking applications on the infected phone. It then sends out a POST request to

[CnC_URL] + "/phon/youxi.php"

with the parameters

"phone" : [Ph_Num], "softname" = [Bank_List]

where CnC_URL = hxxp://[REMOVED].vicp.co
and Ph_Num = Phone Number of the infected phone, Bank_List = Contains the symbols ["NH", "SH", "WO", "KB", "HA", "EP", "SP", "BS"] depending upon whether the corresponding banking applications with package names ["nh.smart", "com.shinhan.sbanking", "com.webcash.wooribank", "com.kbstar.kbbank", "com.hanabank.ebk.channel.android.hananbank", "com.epost.psf.sdsi", "com.smg.spbs", "com.areo.bs"] are present on the phone. If none of them are found, the value is set to "N/A"
Next, a POST request is sent to [CnC_URL] + "/phon/youxi_up.php" with the parameters

"file" = [Contents of file Ph_Num + "_npki.zip" on the SDCard], "phone" = [Ph_Num], "npki" = [Ph_Num] + "_npki.zip"

The same file is [Ph_Num] + "_npki.zip" is sent to via email to dkggtbb603@gmail.com with the Subject as Ph_Num.
Next, the all the contents of the directory temp/ on the external SDCard are compressed into a file all.zip and a POST request is sent to [CnC_URL] + "/phon/youxi_up.php" with the parameters

"file" = [Contents of temp/all.zip on external SDCard], "phone" = [Ph_Num], "npki"= "all"

Finally, the contacts on the phone are read and saved to file /temp/phone001.txt on the external SDCard and a POST request is sent to [CnC_URL] + "/phon/youxi_up.php" with the parameters

"file" = [Contents of the file /temp/phone001.txt on external SDCard], "phone" = [Ph_Num], "npki" = "phone001"

SoftService : This service starts 1 sec after launching and is repeated every second after that. It calls a function called bankHijack() that checks if any of the specified banking applications are present in the list of installed applications on the infected phone.
If found, the banking credentials, if found are leaked. The user may also be directed to a fake phishing page from where Credit Card details entered are also leaked. Next, the user is shown a notification asking to download a fake update for the banking applications leading to the download of more possibly malicious applications.
UninstallerService : It starts 0.5 secs after launching and is repeated every 0.5 secs after that. It calls a function called getSoftName() that also checks for the specified banking applications on the infected phone. If found, the banking application is deleted from the phone, except "AhnLab V3 Mobile Plus 2.0" which is an Anti-Virus application.
uploadContentService : The service starts 2 secs after launching and is repeated every 2 secs after that. It sends the file temp/all.zip on the external SDCard in a POST request in the same format as specified above.
autoRunService : It starts after 40 mins and repeats every 30 mins. It updates the package's shared preference file with an entry "item" with the name of the banking application for each of the specified applications found on the phone. Then the user is shown a notification to download a fake Banking application update, as mentioned above.
In addition to these services, the following receivers are defined :
SystemReceiver : Launched whenever the phone is switched on (BOOT_COMPLETED) or a user is present (USER_PRESENT), it starts services SoftService, UninstallService, autoRunService and uploadContentService
openActivityReceiver : This receiver is launched whenever an SMS is received on the phone (SMS_RECEIVED). A POST request is sent to [CnC_URL] + "/phon/sms.php" with the parameters

"phone"= [SMS_Sender], "localphone" = [Ph_Num], "content" = [Received_SMS_Body]

Depending upon the contents of the SMS Body the following functions are performed :

• "ak49-" + [URL] : URL is saved to the file temp/ak49.txt on the external SDCard and updated as the new value of CnC_URL. Henceforth, all POST requests are sent to this address.
• "ak40-" + [MSG] : MSG is saved to the file temp/ak40.txt on the external SDCard, the received SMS is hidden and MSG is forwarded in an email with Subject Ph_Num.
• "wokm-" + [MSG] : The MSG is sent in an SMS to all saved contacts on the phone.
• "ak60-" + [NAME] : NAME is saved to a file temp/sms_name.txt on the external SDCard and is then used as the destination for all emails sent by the malware.
• "ak61-" + [PWD] : PWD is saved to the file temp/sms_pws.txt on the external SDCard and is the password used to authenticate email sending.

In addition, it detects an emulator and doesn't launch if the device phone number starts with "15555" or IMEI begins with "00000000"
It also contains functions to send SMS history on the phone but they are never called.
Permissions required by the application:

• INTERNET
• WRITE_EXTERNAL_STORAGE
• MOUNT_FORMAT_FILESYSTEMS
• READ_PHONE_STATE
• READ_CONTACTS
• RECEIVE_BOOT_COMPLETED
• RECEIVE_SMS
• ACCESS_WIFI_STATE
• READ_SMS
• SEND_SMS
• CALL_PHONE
• SYSTEM_ALERT_WINDOW
• MOUNT_UNMOUNT_FILESYSTEMS
• GET_TASKS

Aimed at Korean users
Certificate information:

• Owner: EMAILADDRESS=android@android.com, CN=Android, OU=Android, O=Android, L=Mountain View, ST=California, C=US
• Issuer: EMAILADDRESS=android@android.com, CN=Android, OU=Android, O=Android, L=Mountain View, ST=California, C=US
• Serial number: b3998086d056cffa
• Valid from: Wed Apr 16 00:40:50 CEST 2008 until: Sun Sep 02 00:40:50 CEST 2035

Recommended Action

• Make sure that your FortiGate/FortiClient system is using the latest AV database.
• Quarantine/delete files that are detected and replace infected files with clean backup copies.