android Malware trends and reversing taCtiCs
Skimming the preceding manifest we can see the package name,
minimum version, lack of maximum version, and permissions
requested, along with which activities and services are runnable
for which intents. An interesting combination is that there are the
permissions RECEIVE_SMS, SEND_SMS, READ_CONTACTS,
and INTERNET. is could be a harmless combination, though it
is the bread and butter to most SMS Trojans. e next interesting
thing we can see is which activity can be launched from the launcher
tray. is can be seen since the .Main (which will inherit the pack-
age name to form its full class path, com.example.smsmessaging.Main)
has an intent lter for both android.intent.action.MAIN and android.
intent.category.LAUNCHER. ere is then a service that we can see
is declared, meaning a nonactivity that can continually run in the
background, which is com.example.smsmessaging.TestService. Last, we
have a receiver, com.example.smsmessaging.MyReceiver, which will
receive the android.provider.Telephony.SMS_RECEIVED intent.
ere is a similar receiver, com.example.smsmessaging.BootUpReceiver,
which handles the android.intent.action.BOOT_COMPLETED.
Although we could likely guess what is going on in each of these,
let us continue further and remember each of those entry points,
the main activity (Main), service (TestService), and receivers
(MyReceiver and BootUpReceiver).
After we run baksmali on the dex le, let’s see if there is anything
that sticks out in the loaded strings. Since we do not care about the class
paths we do not run strings classes.dex as we might on an elf le. If we
step into the baksmali directory, avoiding the android/support/ folder, as
it is a compatibly library included from the sdk, we can grep for const-
string. We can see any string that is loaded from the string table.
bebop:baksmali tstrazzere$ grep -ir “const-string” com/*
string v0, “content://sms/inbox”
string v0, “address”
string v0, “display_name”