Analysis: Android SMS Malware (PhotoViewer)

Hi Folks,

As promised in my earlier post. Below is the technical writeup on the SMS malware that have been spreading around in Singapore recently.

Introduction

Victims will receive a SMS as shown in the screenshot below.

smsmessage

It looks authentic as the SMS is personalized (receiver’s name is mentioned in the body) and the sender is also from someone from the contact’s list. As it talks about “your photo”, it will pip the receiver’s curiosity to click on the link mainly out of fear whether his/her compromising photo has been leaked or posted online.

Similarly I clicked on the link and it started to download of an apk file (installer file for the Android system).

Why should you not install the app?

First let’s take a look at the url in the message body. It is a shortened url. When expanded the url is as shown below:

link-expanded

Authentic Android apps download are usually from the official Google playstore. This link in the SMS however points to a “6868android” website which indicates that the app is not approved by Google. Thus you are installing the app in your device at your own risk.

After downloading the apk, I extract it out to reverse and look into what it is doing (those processes itself warrants another article for explanation, so I will jump straight to the analysis).

Technical Teardown

Let’s take a look at the Manifest file which lists the required permissions of the application:

permissions1

permissions2

A total of 63 permissions are requested by the app!! No way that a PhotoViewer app requires that much of permissions. It is clear that this app is a malware that wants to steal as much personal data as possible from the device.

What does the app does?

Upon installing the app it is displayed as “Photo Viewer” in the apps list. When started, it shows multiple advertisements and even a popup to accept even more advertisements.

InterfacePhotoViewer

Even when app is killed, the app restarts itself and starts showing more advertisements. And subsequently the app disappears from the apps list. Thus the only way to completely disable or kill off the app is by uninstalling it using the Android system’s settings option. And guess what it does nothing else!! Therefore it is a PhotoViewer that cannot view photos.

photoviewericon

photoviewericonmissing

All these are happening in the foreground. Now let’s take a look at what the app does in the background by analyzing the network traffic (how this is done will be discussed in another article). The app posts data(most probably personal data) out and at the same time receives data (advertisement data) too. The urls the data is posted to and received are as listed below.

Data posted to:

h—p://alog.umeng.com

h—p://eiget.7176.com:6011

h—p://api.tapfortap.com:80

Data received from:

h—p://www.6868android.com

h—p://app.wapx.cn

h—p://androidsdk.ads.mp.mydas.mobi

h—p://init.startappexchange.com

h—p://my.mobfox.com

h—p://apportal.airpush.com

h—p://bank-31.ads.mp.mydas.mobi

h—p://once.unicornmedia.com

h—p://d.appsdt.com

h—p://googleads.g.doubleclick.net

h—p://bank-65.ads.mp.mydas.mobi

h—p://mmedia.once.brightcove.com.edgesuite.net

h—p://landingpages.millennialmedia.com

As our concern here is the loss of personal data. Let’s focus on the urls the data are posted too.

There are 3 urls. The first one “h—p://alog.umeng.com” is of concern as it is the only url where encrypted data is been posted to (see screenshot below). The rest of the urls receives generic or configuration data.

initial-data

A check in whois reveals that this website is most probably based in china.

whois

There is also an entry in VirusTotal on this domain as a malicious URL. See:

h–ps://www.virustotal.com/en/domain/www.umeng.com/information/

Thus we can confirm that the app posts encrypted personal data to a malicious url.

Now let’s look at how it propagates itself to others. For this I have to take a look at the source code.

Source Code Analysis

Let’s dive into the source code:

From the manifest file the main activity can be identified as “com.android.mms20.MainActivity”. I started my analysis from that file. After poking around many files, I reached Sender.class which is of interest.

The app upon starting checks for network connectivity in the background and uses this Sender.class to get the contacts list info (including name and number) and subsequently sends text messages as we saw above to all of contacts at the victim’s expense!!

The screenshots below are of the source code in Sender.class showing the functions for getting the contact’s info and sending SMS to them.

collecting-contacts-data

sms-send

Conclusion

In my analysis, I am able to confirm that the app is indeed malicious as it asks for more than required permissions, do not function as a PhotoViewer but instead displays multiple advertisements, try to hides itself by removing itself from the apps list, posts encrypted personal data to a malicious url and propagates itself by getting the victim’s contacts list and sending SMSes to them to entice them to download the app. To be safe, kindly refrain from downloading third party apks from dubious sites.

*Take Note that the telcos have indicated the 6868android site as a potential phishing website, thus further downloads of the apk have been blocked.

singtel-suspected-phising-site

That’s the end of the technical writeup. Hope you guys like it. Do leave any comments on the article below.

Have a nice day!!

Cheers,

Wilson Lim (@wilsonlim177)

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s