Security News

Android malware with SMTP capabilities (September 6, 2013)

By

The Dell SonicWall Threats Research Team received reports of an Android malware capable of sending Emails using the SMTP protocol. We have observed Android malware evolve using new tricks to infect its victims but this is the first one to sport the use of SMTP to send sensitive device and user information to the attackers.

Infection Cycle

Before installation the app requests for the following permissions:

  • bind_device_admin
  • change_network_state
  • receive_sms
  • process_outgoing_calls
  • read_sms
  • read_user_dictionary
  • write_sms
  • send_sms
  • internet
  • write_external_storage
  • wake_lock
  • record_audio
  • modify_audio_settings
  • vibrate
  • receive_boot_completed
  • write_settings
  • disable_keyguard
  • read_contacts
  • write_contacts
  • get_tasks
  • write_secure_settings
  • read_phone_state

Once installed the app appears as ‘Google Service’ on the phone. Clicking on it will prompt the user into allowing the app to be set as device administrator, this essentially means that the app will be able to alter the security policy of the device. Whenever any app requests permission to be set as device administrator, it is highly advised to verify the intentions of the app before granting this permission.

Upon clicking the app nothing happens on the screen and the app is no longer visible in the app drawer, but it continues to run in the background. The app collects information on the device and attempts to send it using SMTP.
The app has capabilities to steal and send the following information:

  • Contacts on the phone
  • SMSes on the device
  • Audio recordings of the calls on the device

We found interesting strings in a function named sendAll() that gathers collected data and formats it for sending via SMTP

The app collects this information and sends it to the attackers via SMTP. We found the following SMTP servers in the code:

  • smtp.gmail.com
  • smtp.126.com

During our analysis the sample tried to communicate with smtp.126.com but we did not see any further activity.

The motive of this malware is to send sensitive user information to the attackers, we have seen such spy apps in the past but most of them relied on SMS or HTTP as a medium to send the stolen information but this is the first malware to use SMTP. This just highlights that malware writers are constantly evolving Android malware with new tricks.

Dell SonicWALL Gateway AntiVirus provides protection against this threat via the following signature:

  • GAV: AndroidOS.Spy.SMTP (Trojan)
Security News
The SonicWall Capture Labs Threat Research Team gathers, analyzes and vets cross-vector threat information from the SonicWall Capture Threat network, consisting of global devices and resources, including more than 1 million security sensors in nearly 200 countries and territories. The research team identifies, analyzes, and mitigates critical vulnerabilities and malware daily through in-depth research, which drives protection for all SonicWall customers. In addition to safeguarding networks globally, the research team supports the larger threat intelligence community by releasing weekly deep technical analyses of the most critical threats to small businesses, providing critical knowledge that defenders need to protect their networks.
Recommended Cyber Security Stories
Babuk ransomware actively spreading in the wild
Cyber Security News & Trends – 09-06-19
Java based remote access trojan is being distributed via spam
Scripting Engine Memory Corruption Vulnerability CVE-2020-0674
Trend Micro Control Manager Stack BO (Jan 27, 2012)
jQuery plugin vulnerability actively exploited for few years
Emotet malware delivered through spam emails
NTP Daemon Vulnerabilities (Nov 19, 2015)