O'Reilly logo

Android Malware and Analysis by Tim Strazzere, Jose Andre Morales, Manu Quintans, Shane Hartman, Ken Dunham

Stay ahead with the world's most comprehensive technology and business learning platform.

With Safari, you learn the way you learn best. Get unlimited access to videos, live online training, learning paths, books, tutorials, and more.

Start Free Trial

No credit card required

82
android Malware and analysis
com/example/smsmessaging/MyReceiver.smali: const-
string v7, “android.provider.Telephony.SMS_RECEIVED”
com/example/smsmessaging/MyReceiver.smali: const-
string v7, “pdus”
com/example/smsmessaging/TestService$1$1.smali: const-
string v4, “Exception : “
com/example/smsmessaging/TestService$doBackGround.
smali: const-string v1, “Executed”
com/example/smsmessaging/TestService.smali: const-
string v0, “http://l0rdzs0ldierz.com/”
com/example/smsmessaging/TestService.smali: const-
string v0, “”
com/example/smsmessaging/TestService.smali: const-
string v8, “”
com/example/smsmessaging/TestService.smali: const-
string v8, “”
com/example/smsmessaging/TestService.smali: const-
string v8, “”
com/example/smsmessaging/TestService.smali: const-
string v8, “Not an HTTP connection”
com/example/smsmessaging/TestService.smali: const-
string v7, “GET”
com/example/smsmessaging/TestService.smali: const-
string v8, “Error connecting”
com/example/smsmessaging/TestService.smali: const-
string v5, “Blowfish/ECB/NoPadding”
com/example/smsmessaging/TestService.smali: const-
string v5, “Blowfish”
com/example/smsmessaging/TestService.smali: const-
string v10, “command.php?action=recv”
com/example/smsmessaging/TestService.smali: const-
string v11, “conencting to “
com/example/smsmessaging/TestService.smali: const-
string v1, “\n”
com/example/smsmessaging/TestService.smali: const-
string v11, “added to array “
com/example/smsmessaging/TestService.smali: const-
string v11, “ at position=“
com/example/smsmessaging/TestService.smali: const-
string v11, “saved message=“
com/example/smsmessaging/TestService.smali: const-
string v0, “Service Created”
com/example/smsmessaging/TestService.smali: const-
string v2, “myService”
83
android Malware trends and reversing taCtiCs
com/example/smsmessaging/TestService.smali: const-
string v3, “onStartCommand”
com/example/smsmessaging/TestService.smali: const-
string v2, “Service Created onStartCommand”
com/example/smsmessaging/TestService.smali: const-
string v2, “command.php?action=sent&number=“
com/example/smsmessaging/Utilities.smali: const-string
v2, “notfound”
com/example/smsmessaging/Utilities.smali: const-string
v2, “/”
com/example/smsmessaging/Utilities.smali: const-string
v2, “duplicate.apk”
com/example/smsmessaging/Utilities.smali: const-string
v10, “android.intent.action.VIEW”
com/example/smsmessaging/Utilities.smali: const-string
v11, “application/vnd.android.package-archive”
com/example/smsmessaging/Utilities.smali: const-string
v1, “com.example.smsmessaging”
com/example/smsmessaging/Utilities.smali: const-string
v2, “com.example.smsmessaging.Main”
Much like the manifest, this can give us hints as to what is going
on and good indications of what might be interesting for us to look
into. Immediately we see a command and control domain, some debug
statements, and what appear to be intents and mime types. Next lets
step into the main activity.
Image 6.1 SpamSoldier Main activity.
84
android Malware and analysis
We can easily see from this IDA layout that the onCreate method
does very little. It calls the super activitys onCreate, three Utilities
class functions, and then starts the TestService service. If we dive into
Utilities.iconRemoval we see the following common tactic:
Image 6.2 SpamSoldier Utilities class.
e preceding code when reversed will look something like this:
public void iconRemoval() {
ComponentName componentToDisable=new
ComponentName(“com.example.smsmessaging”, “com.
example.smsmessaging.Main”);
PackageManager packageManager=Utilities_context.
getPackageManager(); packageManager.setComponent
EnabledSetting(componentToDisable, COMPONENT_
ENABLED_STATE_DISABLED, DONT_KILL_APP);
}
is is extremely common practice among Android malware, as
it will remove the icon from the launcher tray. Since receivers and
services of an Android application can only be activated once being
run at least once (unless it is a system component), the user must rst
launch an activity. is prompts many malware authors to perform
some type of social engineering on the user, such as providing a game
or pornography. After this activity is launched, the code removes the
icon from the launcher tray; this to an average user would appear as
if the application no longer exists. is is actually a well-documented
85
android Malware trends and reversing taCtiCs
tactic, which was explained using a Zitmo sample around the time the
technique emerged (Android Zitmo Analysis).
If we return to the Main activity and stepped into the InstallApk
function, we actually see what the malware author is attempting to
social engineer with. ey are loading the APK asset, which was
embedded in the assets folder. After checking if this application was
already installed it would launch an android.intent.action.VIEW intent
with the application/vnd.android.package-archive mime type and the
location of the extracted APK asset. is will be caught by the default
package manager and prompt the user to install the APK. After this
function completes, we see that the only thing left for this entry point
is to kick o the TestService. So the main breakdown is remove the
malware icon, prompt the user to install GTA3 (supposedly what they
were enticed to download and install this application for), and start
the TestService. Diving into TestService is our next step.
Image 6.3 SpamSoldier TestService class, timer functionality.
Interestingly enough, the malware author has left in what appears to be
debug statements. ough it does appear to be strange that they would visu-
ally show these to the user through a Toast (momentarily appears as text)

With Safari, you learn the way you learn best. Get unlimited access to videos, live online training, learning paths, books, interactive tutorials, and more.

Start Free Trial

No credit card required