Are You Ready For Some Football?

Contributor: Masaki Suenaga

We certainly are! It is American football season and the Super Bowl is right around the corner. Apparently, so are the malware authors. It would not be the first time they took advantage of this sporting event. Back in 2007, the Dolphins (hosts for Super Bowl XLI) had their website compromised by links to malicious JavaScript. Several visitors looking up Super Bowl information on this site were hit with an exploit pack designed to attack their Web browsers and install hidden malware. Taking a page out of their playbook, Android malware authors this season bring us a fake version of the popular gaming franchise, Madden NFL 12. Being over 5 MB in size, it certainly looks like a game worth trying! Once installed, it will even display the following icon:

After the user launches the app, there is, unfortunately, no actual football or gameplay. However, this Trojan will contact premium rate numbers and even attempt to connect to an IRC server. After decompiling the APK, the following startup code can be found:

As can be seen from the code listing above, after extraction the malware will actually change the permissions of the picture file 'header01.png' to read, write, and executable. Upon closer inspection, this picture file is, in reality, an ELF binary which can be run on an Android device. This binary, once disassembled, reveals a functionality able to root the phone. Incidentally, this exploit works on an older version of Android: Android 2.3 (Gingerbread).

Once the user runs the app, it has full control of the device and will proceed to run 'footer01.png'. As before, looks can be deceiving: this image file is not an image file, but another ELF binary. This binary, however, does not attempt to root the phone. It instead acts as an IRC Bot. It will attempt to join the #andros channel to report back to its master(s). The following screenshot shows some of the strings embedded inside the PNG/ELF file:

As can be seen from the screenshot, the 'footer01.png' file will attempt to install another file called 'border01.png'. Unlike the other two previous files, this PNG file is actually another APK file and can be executed with the command shown above (second-last line above which contains "AndroidMeActivity").

The 'com.android.me' package contains two distinct actions: one to send text, and one to receive text. The 'AndroidMeActivity' class is used to send text to premium rate numbers. It does this by using the 'getSimCountryIso()' method to find the country the device is located in. Depending on what it finds, it will set the following information:

COUNTRY [NUMBER, MESSAGE]
Belgium ["3075", "CODE"]
Switzerland ["543", "GEHEN SP 300"]
Luxemburg ["64747", "ACCESS SP"]
Canada ["60999", "SP"]
Germany ["63000", "SP 462"]
Spain ["35024", "GOLD"]
Great Britain ["60999", "SP2"]
Morocco ["2052", "CODE"]
Sierra Leone ["7604", "PASS"]
Romania ["1339", "PASS"]
Norway ["2227", "PASS"]
Sweden ["72225", "PASS"]
United States ["23333", "PASS"]

It will then send a text to the premium rate number shown above corresponding to the country where the device is located. The 'SMSReceiver' class is then used to handle incoming text messages:

It will check incoming text messages to see if it came from one of the premium rate numbers previously set in 'AndroidMeActivity'. If so, it will then use the 'abortBroadcast()' method to block the incoming text message so it is not seen by the user. Instead, the Trojan will forward the message to hxxp://46.*.*.*/?=[PREMIUM RATE NUMBER]///[PREMIUM RATE NUMBER MESSAGE BODY] through a GET request.

The malicious code certainly did not take up over 5 MB of space. So where did the rest go? Checking the other assets in the original APK file, it turns out that there are 5 copies of the same following picture file with different names slightly above 1 MB each:

This Trojan is not the app you want to play Madden NFL 12 before the Super Bowl. To avoid becoming a victim of such malicious Android applications, you should only download and install from regulated Android marketplaces. By default, Android devices do not allow installation of applications from unknown sources (e.g. non-Market) and Symantec protects you by detecting this Trojan as Android.FoncySMS.