Study on Android Auto-SMS

This blog is written by Beannie Cai.

 

Not long ago, Symantec Security Response posted a blog titled Animal Rights protesters use mobile means for their message, which related to the Trojan horse Android.Dogowar that targets the Android mobile OS. This Trojan may be developed by animal protection organizations, in order to “punish” the mobile users who are fond of playing dog-fighting games.

Once the phone is compromised, it will lead to some unpleasant results. For example, every time the phone is restarted, Android.Dogowar will send a registration SMS to a certain animal protection organization (US users only), and send SMS to all the people in the user’s contact list, saying “I take pleasure in hurting small animals, just thought you should know that”. 

It results in adversely affecting the compromised user’s reputation as well as monetary loss as it sends out massive amounts of SMS messages without the user being aware of it.

It made me think of earlier PC threats that were invented for the purpose of showing off or playing a hoax on the recipient. Threat composers need to master good technology in order to manipulate DOS memory blocks, or encrypt or decrypt binaries in boot loader. After the Windows operating system become popular, we saw all kinds of easy-to-use development tools appear, which required less technical knowledge to develop programs. As a result, the amount of malicious programs and threats (worms, Trojans, viruses) increased quickly. In 2007, Google launched the open source mobile platform Android. While people appreciated its openness and advancement, security issues started to draw people’s attention.

One of the most common behaviors of mobile threats is to make money by sending SMS messages. Normally, the sending process is done silently, so that users won’t be conscious about it. However, some threats may ask for user permission before sending out the SMS, just like the legitimate applications. This “obfuscation trick” helps the threats pretend to be a “good” application.

This blog will illustrate a few typical Android mobile threats and legitimate mobile applications to compare their behavior when it comes to sending SMS messages.
 

Android.FakePlayer

Android.FakePlayer appeared in August 2010 and in retrospect this may be the first Android threat. This threat targeted Russian mobile users. The reason why it’s named FakePlayer is because it adopted the icon of Windows Media Player.

      

When the threat is executed, a Russian alert quickly flashed and quit. In the meantime, the threat started silently sending SMS messages of fixed content to pre-set commercial numbers that costs users money. However, Android.FakePlayer only sends SMS messages when it executes for the first time. It won’t send any SMS messages again even users restart their phones.

Base on our analysis, we found that Android.FakePlayer took advantage of the Android’s SQLite database function to store the “sent” status. If it’s executing for the first time, the threat will use SQL to build a table, insert data, and record execution status. The following is a screenshot of the database file:

         

The database content is as follows:

           

When Android.FakePlayer is executed again, it will first query the database to see if the status is “sent”. If so, the threat will quit immediately.

Apart from using a database, some mobile threats use Android’s SharedPreferences functionality to store status, such as Android.Smstibook.
 

Android.Smstibook

In May 2011, Google removed a few Android games and small applications from its official sites, including iCalendar, iMatch, ShakeBanger, and ShakeBreak. These applications are actually threats called Android.Smstibook, which is designed to send SMS messages.

In contrast to a typical Android threat, which is simply a repackaged normal application that has malicious code inserted into them, aka Trojanization, Android.Smstibook was developed specifically to masquerade as a legitimate app (a Trojan horse in the classic sense) and published through the Google Market.
 

                  

 

                    

Once executed, Android.Smstibook will send SMS messages to commercial numbers, and record the status through SharedPreferences to avoid sending messages a second time. The image below shows the related SharedPreferences file in XML format:

                      

Furthermore, Android.Smstibook makes use of Android’s Receiver mechanism to filter mobile service provider’s SMS messages. This is to prevent users from receiving an SMS message informing them that they have been charged a fee for using a commercial SMS messages.

Of course, normal mobile applications also use SQLite and SharedPreferences to record status, such as Jimm_setup.

Jimm_setup

Jimm is an ICQ chat client for mobile devices. It’s very popular in Russia. Jimm_setup is the installation file.

                          

However, a report claimed that Jimm_setup was suspicious for cheating users, because it cost users 200 rubles (about US$13) to install it. After testing the program, we found that during the installation process, Jimm_setup actually clearly stated that it will send two paid SMS messages, each costing 400 rubles (about US$6.50) each. 

    

The installation interface of Jimm_setup

The text translates as “After you click ‘install’ to begin the installation procedure, during which two SMS will be sent to a toll number.”.

Jimm_setup uses SharedPreferences to record if the paid SMS message has been sent to ensure that such SMS messages won’t be sent twice.

However, it’s hard for Jimm’s old users to accept the fact that they need to pay for the previously free application.

Recently, we searched for Android applications that auto-send SMS messages in order to find malware, and interestingly not all of them are malware. Here are some examples of the way applications are harnessing SMS messages and auto-sending SMS messages for 'legitimate' purposes.

Oops! I’m in my bikini. Look

This is freeware on Google Market to edit and share photos in social network sites.

When first executed, users need to register their personal information. Otherwise, they can’t enter the main menu. 

While entering the main menu, the application will send SMS messages that are advertisements to the phone itself. If users press the Back button or re-execute the program, same SMS messages will be sent again. This will cause repetitious SMS messages, which will inconvenience users.

However, besides troubles, there is also convenience. For example, when you travel in Zagreb by tram but forget to buy ticket, ZET Panic might be something you need.

ZET Panic

ZET is the abbreviation of Zagreb Tram System. ZET Panic is a customized ticketing application. Once executed, it will send “Zg” to 8585, and then the tourist will receive an SMS reply, which is actually an e-ticket. But in order to enjoy the service, the tourist must be in Croatia.

                  

 

During our test, we found ZET Panic would alert users that it’s going to send out SMSmessages. If users don’t reply within 4.1 seconds, the SMSmessagesaresent automatically. This step might be improved by adding a “send” button so that users could control whether to send the SMS or not.

    

The text translates as “This Application makes use of Mprijevoz Ticket service: 10kn + SMS. The ticket is valid 90 minutes in all directions.” and “Cancel”.

The text translates as “Request sent” and “OK”.

 

Android.Nickispy —a backdoor mobile threat that appeared recently—will send the IMEI of the compromised device to a specific mobile number every time the phone is restarted.

In general, the openness of Android platform brings us both advantages and disadvantages. While we enjoy the convenience, we need to be aware of the mobile security issues. Apart from installing trustworthy mobile security software on the phone and downloading applications from official channels, users also need to be extra vigilant to avoid unnecessary problems or even monetary loss. Once you find any applications suspicious, please uninstall it immediately. Meanwhile, Symantec and Android service providers monitor the Android threats closely and take action fast when threats are detected.