Open in app

Sign up

Sign in

Write

Sign up

Sign in

How Mobile Operators Lost Thousands Of Dollars Because Of An SMS Malware

Josue Martins
InfoSec Write-ups
Published in
7 min readApr 18, 2022

--

SMS Malware Analysis — Write Up By Josue Martins

This write-up is about an android malware that affected multiple mobile operators and subscribers, it is commonly found on pirate sites where subscribers download songs, games, and other content.

I have presented my finds on this SMS Malware at the GSMA Fraud and Security Group meeting in Paris 2019, This malware affected operators in Africa, Europe, and the Middle East, and the victims of this malware were often left with huge bills on their telephone number.

Let's break down this malicious piece of code…………………

MALWARE FILE INFORMATION

File Name: smartworld_-_WIN_-_5001283180632240_-_.apk

Size: 1.76MB

MD5:7b63adc6100ee6c7b703ba637882dd17

SHA1:054e5d6569cfdc631bb1c722cc91b2dd6ae8e32c

SHA256:5db5b4a563106e9a1b7c502e271f40224bb40cdbe678553dd90fc0335204af7e

App Name : Package Name : contradecirte.preciosas.escasez

STATIC ANALYSIS OF THE MALWARE

When conducting a mobile malware analysis for the android OS, it is always good to look first at the manifest file, because it helps to identify the most important activity of the malware.

ANDROID MANIFEST FILE ANALYSIS

Android Manifest File

The malware request the following permissions:

<uses-permission android:name=”android.permission.ACCESS_WIFI_STATE”/>

— Allows an application to view the information about the status of Wi-Fi.

One can assume that his malware wants to use the internet to connect to a server to receive commands from cybercriminals.

<uses-permission android:name=”android.permission.GET_ACCOUNTS”/>
— Allows an application to access the list of accounts known by the phone.

<uses-permission android:name=”android.permission.ACCESS_NETWORK_STATE”/>

— Allows an application to view the status of all networks.

<uses-permission android:name=”android.permission.RECEIVE_BOOT_COMPLETED”/>

— Allows an application to start itself as soon as the system has finished booting. This can make it take longer to start the phone and allow the application to slow down the overall phone by always running.

All the permission below are dangerous permissions and are used very often by malware.

<uses-permission android:name=”android.permission.READ_PROFILE”/>

— Allows an application to read the user’s personal profile data.

<uses-permission android:name=”android.permission.INTERNET”/>

— Allows an application to create network sockets.

<uses-permission android:name=”android.permission.READ_PHONE_STATE”/>

— Allows the application to access the phone features of the device. An application with this permission can determine the phone number and a serial number of this phone, whether a call is active, the number that calls is connected to, and so on.

<uses-permission android:name=”android.permission.CHANGE_WIFI_STATE”/>

— Allows an application to connect to and disconnect from Wi-Fi access points and to make changes to configured Wi-Fi networks.

<uses-permission android:name=”android.permission.GET_TASKS”/>

— Allows an application to retrieve information about currently and recently running tasks. May allow malicious applications to discover private information about other applications.

<uses-permission android:name=”android.permission.WRITE_EXTERNAL_STORAGE”/>

— Allows an application to write to the SD card.

<uses-permission android:name=”android.permission.READ_EXTERNAL_STORAGE”/>

— Allows an application to read from SD Card.

<uses-permission android:name=”android.permission.MODIFY_PHONE_STATE”/>

— Allows the application to control the phone features of the device. An application with this permission can switch networks, turn the phone radio on and off and the like, without ever notifying you.

<uses-permission android:name=”android.permission.BLUETOOTH”/>

— Allows an application to view the configuration of the local Bluetooth phone and to make and accept connections with paired devices.

<uses-permission android:name=”android.permission.install_packages”/>

— Install other applications on the device and applications from unknown sources.

<uses-permission android:name=”android.permission.delete_packages”/>

— Delete installed applications on the device.

<uses-permission android:name=”android.permission.LOCAL_MAC_ADDRESS”/>

— Gets the MAC ADDRESS of the device.

<uses-permission android:name=”android.permission.SEND_SMS”/>

— Allows an application to send SMS messages. Malicious applications may cost you money by sending messages without your confirmation.

<uses-permission android:name=”android.permission.WRITE_SMS”/>

— Allows an application to write SMS messages stored on your phone or SIM card. Malicious applications may delete your messages.

<uses-permission android:name=”android.permission.READ_CONTACTS”/>

— Allows an application to read all of the contact (address) data stored on your phone. Malicious applications can use this to send your data to other people.

<uses-permission android:name=”com.google.android.c2dm.permission.RECEIVE”/>

— Allow the attacker server to send messages to the application using Google cloud messaging for Android.

<uses-permission android:name=”android.permission.USE_CREDENTIALS”/>

— Allows an application to request authentication tokens.

Just reading at all the twenty plus permissions requested by this malware, one can see that this malware has multiple functionalities.

Android Manifest file

We can see that the manifest file shows that the application will ask to be the administrator of the smartphone and the name of the activity is called “fraude”, fraude means fraud in Portuguese and Spanish. In my point of view, the malware writer is a Spanish individual or a group.

Android Manifest

This code on the manifest file “ <intent-filter android:priority=”999"> “ is used to make the service run with high priority in the background once installed and when the smartphone reboots too.

JAVA FILE ANALYSIS

The Java source code shows the following instructions coded into the malware.

Extract sensitive information such as:

  • Smartphone operator
  • The country where the smartphone is located
  • The version of the Android Operating system running on the device
  • Date the malware was installed.

Additional functionalities coded into the malware:

Request for admin access

Presents the user with entertainment content such as mobile games and adult content.

Entertainment content such as mobile games and adult content.

Contact the Command and Control Centre to receive the number to send the SMS to.

Request information from the malware creator.
Collecting smartphone and user information

Request the date to repeat sending the SMS if there is an error or not.

The repeat date to send the SMS

Allows also the installation of additional mobile applications.

Installation of the Apk file.
Location of the APK file

DYNAMIC ANALYSIS OF THE MALWARE

When conducting a dynamic analysis, it requires that one infects the test device with the malware and watches its behaviour.

The malware was installed on test smartphones and displayed the following behaviour, once installed:

  • Hides by not using an icon, if you are not careful you will miss the malware in the main menu.
The App shows without an icon
  • Presents the user with entertainment content such as mobile games and adult content, to view adult context one has to give the app administrative permissions and that is when the malware controls the device.
Terms and conditions
The main menu
  • The malware request Administrative rights on the smartphones.
Requesting administrator permission or access to the device.
Source code behind the screenshot
  • Collects sensitive information highlighted in the static analysis
information collection
  • It communicates with a Command and control centre via the domain “App.in-spicy.com”, and alerts that the malware has been installed successfully. It also asks the Command and control centre to send the number that will receive the SMS as the source code shows in the static analysis.
Contents of the SMS

The SMS was sent to the number “0079585388749”, which is normally a premium number(A number with a high tariff).

Recap of the Malware

  • The malware hides by not using icons and runs in the background.
  • Presents the user with entertainment content to be interpreted as an entertainment mobile application.
  • Ask the user to allow it to run as a device administrator to allow the user to view additional adult content.
  • Once permitted to run as an administrator, it extracts sensitive information and sends SMS to premium numbers.
  • The malware can install additional software.

Conclusion

SMS Malware is an interesting piece of software that cybercriminals are using more often because most smartphone users don't install antivirus software and they want to get free access to the contents on the internet.

Moreover, cybercriminals are also using Mobile malware as an enabler of telecommunication fraud and security attacks because they are aware that mobile operators are not deploying adequate security defences when it comes to mobile malware detection and SMS fraud.

Smartphones users should be very careful and should not install software outside of the Google Play or App Store from Apple. The above Command and Control centre should be blocked in your networks as soon as possible to avoid multiple types of telecom fraud that impact the reputation of mobile operators.

PS — Don’t create mobile malware because it is a crime and this content is purely for educational purposes only.

--

--

Josue Martins
InfoSec Write-ups
Follow

Written by Josue Martins

213 Followers

Interested in Mobile Appication Security ,IoT security ,Mobile Device and Telecom Security. https://twitter.com/movcx5 https://www.linkedin.com/in/josuemartins/

Follow

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams