Tibetan Activists Targeted with More Android Malware

Following the recent discovery of Android/Chuli.A, yet another Android malware has now been found using the same method as Chuli.A: via forged email messages with the Android malware (APK file) as an attachment. However, instead of creating a standalone malicious application that shows a fake invitation about an upcoming congress, this time the attackers compromised Version 3.5.5 of the popular instant-messaging application KakaoTalk by injecting additional code to steal sensitive information from the infected device.

One of the visible modifications made to the original KakaoTalk application is the addition of several suspicious permissions required to execute the injected malicious code. However, some of these permissions are duplicated with those present in KakaoTalk 3.5.5 because it too requires various permissions, as you might expect from an instant-messaging application. KakaoTalk requires permissions for communication via several protocols (SMS, WiFi, Bluetooth, Internet), access to sensitive information (accounts, contacts, audio, location), and access to specific hardware (camera, microphone) to obtain new data, not present in the device, to be shared with other users.

The following list of permissions are added to  the Trojanized version of the app:

  • android.permission.READ_SMS
  • android.permission.WRITE_SETTINGS
  • android.permission.WRITE_APN_SETTINGS
  • android.permission.MOUNT_UNMOUNT_FILESYSTEMS
  • android.permission.PROCESS_OUTGOING_CALLS
  • android.permission.DEVICE_POWER
  • android.permission.MODIFY_PHONE_STATE
  • android.permission.BLUETOOTH_ADMIN
  • android.permission.USES_POLICY_FORCE_LOCK
  • android.permission.CHANGE_CONFIGURATION
  • adnroid.permission.ACCESS_CHECKIN_PROPERTTES (misspelled)
  • adnroid.permission.CHANGE_WIFI_STATE (misspelled)

As you can see in the following image, these new permissions are not very visible to the user, as they should be in a standalone version:

Castillo02042013_Pemissions_User_Highlighted
Even less visible are the four services added to the Manifest file, which will run in the background:

Castillo02042013_Services

Only three services work. SmsService is not implemented in the code (only mentioned in the Manifest) suggesting that this is a version of the malware that is still under development.

The AlarmService starts when the device is rebooted or is turned on and its only purpose is to set up a system alarm to schedule the execution of InfoService, which collects the following information:

  • Device information: brand, manufacturer, SDK version, IMEI (International Mobile Station Equipment Identity), IMSI (International Mobile Subscriber Identity), SIM (Subscriber Identity Module) serial number, and phone number
  • Call log: number, name from the address book, type, date, duration of the call
  • Phone contacts: name, phone number, email address, plus details like IM (instant messaging), organizations (company and title), notes, nicknames, and address (street, P.O Box, neighborhood, city, region, and country)
  • SMS messages: address, person, body, date, and type
  • Installed applications: package name, date of the first install, and date of the last update
  • Location: Unlike traditional mobile malware that usually obtains GPS information (latitude and longitude) as data related to the location of the device, this threat goes beyond that and collects more specific and detailed information about the location of the infected device by getting the following cell identifiers, depending which mobile network the device is connected to: CDMA (base station, network, and system) and GSM (cell ID and the location area code).

This information could be used to establish the location of the infected device in a more accurate way than using only GPS coordinates, but to achieve that the malware would also need access to specific technical information about the cellular network architecture such as the physical location of a specific cellular base station that belongs to a certain network operator.

All the collected data is encoded with an XOR logical operation using the sentence “marriage and parenting are serious commitments dont be in a hurry.” After that, the information is stored in the file info.txt, which later is uploaded to an FTP server by the InterService, which runs every time there is a connectivity change. After checking that the device is connected to a network (WiFi or mobile), the service opens the configuration file proper.ini, which contains an encrypted URL. The malware parses the HTML code to obtain the URL and login credentials for the FTP server and to upload the stolen data.

The malware also constantly monitors incoming SMS messages, inspecting them for any starting with a specific number, which will trigger the collection of specific mobile network data (cell ID, area code, network code, and country code) to reply via SMS with the information.

Although there is no technical evidence that this malware has the same origin as Android/Chuli.A, they share four characteristics:

  • The attacks target Tibetan activists using forged emails with Android applications (APK files) as attachments
  • The purpose of both attacks is the same: To steal sensitive and personal information like phone contacts, call records, SMS messages, and location. However, this threat obtains more detailed and specific data from the contacts and the location of the infected device.
  • The use of free Java libraries licensed under LGPL developed by Sauron Software but with different purposes: ftp4j (to manage the FTP communication) and Base64 (to encode the stolen data)
  • The design and structure of the malicious code, the names of services like AlarmService, and the presence of log messages in Chinese

When Android malware was found at the end of July 2012 in control servers used in the “LuckyCat” campaign targeting India and Japan, it was clear that the attackers were planning to add mobile malware as part of the targeted attacks, though at that time we did not know how the malware would be delivered to its victims. Now, with Android/Chuli.A and this new threat, we can see that the initial infection vector is the use of forged emails with APK file attachments together with some social engineering to trick victims into installing the malicious application. Such techniques are often required due to the lack of exploits for Android. The malware could perform a genuine drive-by-download attack and may be the next step in the evolution of targeted attacks on mobile devices.

McAfee Mobile Security detects threat as Android/KaoSpy.A and alerts mobile users if it is present on their devices, while protecting them from any data loss. For more information about McAfee Mobile Security, visit https://www.mcafeemobilesecurity.com.