Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: Android malware enters 2011 SANS ISC InfoSec Forums

Participate: Learn more about our honeypot network
https://isc.sans.edu/honeypot.html

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Android malware enters 2011

One thing a lot of security researchers have been predicting for years is rise in mobile malware. However, due to mobile phones with low power, a lot of operating systems, closed environments and many other reasons we haven’t seen any significant mobile malware until this year.

And just in time for 2011 a new trojan for Android has been found by a company called Lookout. While Android trojans have been very popular, this one was pretty advanced and that is why it caught everyone’s attention.

The most important characteristic of this trojan is that it has botnet capabilities. This means that the trojan connects to a C&C server in order to retrieve commands and enables an attacker in effectively controlling the infected phone.

So how does the trojan gets installed in the first place? The attackers managed to infect some Android games which are hosted on various sites (as far as I know, not the Android market – however, as I don’t have an Android phone I’m not too familiar with the process of installing Android applications). The user simply goes to install such a game and gets infected. However, keep in mind that the installer will warn the user that the application wants to access sensitive parts of the phone as well as capabilities to send SMS messages, make phone calls etc. That being said, we know that most users will just click on yes (remember UAC on Vista?) – and I’m afraid that statistics for users blindly clicking on yes is even worse on mobile phones since there are many more users and security awareness is much, much lower.

Another question that comes to mind is how these applications got infected in the first place? This is an interesting question that I don’t have answer too, however, it is quite possible that the attackers compromised original web sites/computers of game developers and inserted their trojan. This can even be done with a full package since one can easily modify the .apk packages that are used to install applications. One thing we can expect for 2011 is that more such incidents will take place.

Back to the trojan. The attackers obfuscated the code quite a bit but, of course, it can always be analyzed. What’s interesting is that they hard coded a lot of information (C&C servers, commands that can be issued by the C&C server etc) and encrypted that information with the DES algorithm. Of course, the encryption was there just to prevent simple analysis of the code since C&C servers will not be visible as plain text any more. With a bit of analysis I found the DES key and wrote a simple program that decrypted all hard coded data. The configuration and the DES key can be changed by a C&C server in which case the trojan will store the new key by using Android’s PreferenceManager.

By doing this I uncovered the full list of C&C servers which you can see below. The trojan talks to port 8080 on every server:

www.widifu.com
www.udaore.com
www.frijd.com
www.islpast.com
www.piajesj.com
www.qoewsl.com
www.weolir.com
www.uisoa.com
www.riusdu.com
www.aiucr.com
117.135.134.185

The trojan has various capabilities (still have to analyze some of them), but one thing is clear: it steals a lot of information and sends it to the attacker. The stolen information gets POSTed to a C&C server and below you can see all parameters that get populated by the trojan:

 

&IMEI=
&IMSI=
&AdID=
&CPID=
&PTID=
&SALESID=
&msgType=
&latitude=
&longitude=
&MODEL=%s&BOARD=%s&BRAND=%s&CPU_ABI=%s&DEVICE=%s&DISPLAY=%s&FINGERPRINT=%s&HOST=%s
&ID=%s&MANUFACTURER=%s&PRODUCT=%s&TAGS=%s&TIME=%s&TYPE=%s&USER=%s&SoftwareVersion=%s
&Line1Number=%s&NetworkCountryIso=%s&NetworkOperator=%s&NetworkOperatorName=%s&NetworkType=%s
&PhoneType=%s&SimCountryIso=%s&SimOperator=%s&SimOperatorName=%s&SimSerialNumber=%s
&SimState=%s&SubscriberId=%s&VoiceMailNumber=%s&CPID=%s&PTID=%s&SALESID=%s&DID=%s
&sdkver=%s&autosdkver=%s&shell=%s

So, to wrap up the year with probably the last diary (unless Chris comes up with something else), it looks as 2011 will be as interesting as 2010 for us security people. We can definitely expect more mobile malware and while, in this case, the user gets informed that the application will perform suspicious activities we know that the human is (almost) always the weakest link. So, while working on the technical protections do not forget those security awareness sessions that can really save the day.

--
Bojan
INFIGO IS

I will be teaching next: Web App Penetration Testing and Ethical Hacking - SANS Amsterdam May 2020

Bojan

390 Posts
ISC Handler
Yes, applications can be installed from the Android Market or by installing an application from another source. I do not know if Google scans all applications before putting them on the Android Market. For other sources, an application developer can host a .apk file on their website for Android users to download and install. This happened when someone wanted to distribute parts of a pre-release Android OS. Also, Android phones connected to comptuers for charging can show up as USB Mass Storage Devices and an application could theoretically be transferred and later installed.

Installing of non-market applications is disabled by default, but it is easy to turn that protection off.
Kevin

5 Posts
The UAC-like prompt when installing an app is useless for protecting against a trojan. One of the items it will ask about is network access. It's pretty much the only permission a simple trojan will require but nearly every application needs it, if only for downloading advertisements.
Kevin
11 Posts
Most people would only ever think to search the market for apps - I am guessing that people would get the things from infected websites or spam mail. I don't know what happens if you get an apk attachment by email - something I could trivially test when I am back at my pc.

There is an AV app in the market. I have no idea what it looks for or whether it would detect an infected app. Something that would be easy to test using the software emulator.
Eric

43 Posts
People can bash Apple all they like, however is there is something to be said about their stringent requirements before posting to their store. People enforce security with in their organization and homes, yet not on the apps they buy...
Etay

4 Posts
I thought we had moved beyond security through obscurity by trusting "closed systems". iPad, Kindle, Nook, mobile phones, etc.
It's sad it takes a malicious bot-herder to convince people whole believe in marketing hype these devices have to be secured.
Etay
5 Posts
I've just published a way to check remotely infected phones.

http://www.alienvault.com/blog/jaime/Malware/Inside_Geinimi_Android_Trojan_Chapter_Two_How_to_check_remotely_the_presence_of_the_trojan.html
Etay
1 Posts

Sign Up for Free or Log In to start participating in the conversation!