SonicWall Capture Labs Threats Research team has been regularly sharing information about the malware threats targeting Android devices. SonicWall has tracked down some active trojan SMS applications.
This Android SMS app purports to be a famous antimalware application for easy initial access and after installation it acts as a completely different application silently sending SMS without the user’s knowledge.
Infection Cycle :
The application has icons like DrWeb which easily evade users’ attention.
Figure 1: DrWeb icon used by the malware author
Permissions used by the application are:
After installation application shows an agreement page.
Figure 2: Agreement page
The assets folder contains agree.txt which has agreement text written in Russian, and it also contains three .res files that have double base64 encrypted content (number and text)
Figure 3: Asset folder
Content in the agreement states that it is open access to a paid closed archive of erotic downloads.
Figure 4: Agreement content
At the time of analysis URL mentioned “hxxp://topfiless[.]com” was not accessible.
Figure 5: Inactive URL
To decrypt data that contains information of text and numbers it uses base64 twice and is stored in JSON format
Figure 6: Information decryption& message sending
Figure 7: Decrypted number and text used to send High-Cost SMS
Checks incoming messages and matches the content with desired data, then sends SMS accordingly.
Figure 8: Checks for incoming messages
SonicWall Capture Labs provides protection against this threat via the SonicWall Capture ATP w/RTDMI.
Indicators of Compromise (IOC):