Last week the security world was abuzz with news of a new attack vector for mobile attacks. The malware was sent to the accounts of Tibetan human rights advocates and activists from the hacked account of one of the activists regarding the the World Uyghur Congress (WUC) Conference that took place in Geneva from 11-13 March, 2013.
What made the piece of malware particularly interesting was the targeted nature of the attack, once again highlighting the political aspect of cyber warfare and making us question whether governments and legitimate organizations could be the source of such attacks.
The advent of smartphones and subsequently, mobile malware, provides attackers with the opportunity to exploit an all-in-one spying solution. The fact that most phones these days come equipped with a microphone, a camera, a GPS and internet access basically provides an attacker with all the resources that might be required to spy on someone.
The malware behaviour is explained below :
When installed, the victim sees an application called ‘Conference’ in the main menu (as seen in Fig1)
Fig1 : Conference application
Launching the application results in a screen as seen in Fig2 with a message regarding the turnout at the WUC conference.
Fig2 : Application’s main screen
These are the only visible signs of the application seen by the end-user. The main malicious activity of the application takes place in the background, hidden from the victim.
It gathers data such as SMS information, phone and SIM contacts, location information and call records from the victim’s phone and sends it to the attacker’s server. This sending is invoked when an SMS message with the corresponding keyword is received. It also monitors incoming SMS messages and forwards them to the attacker’s server as and when they are received.
Fortinet detects this malware as Android/Chuli.A!tr.spy (named after one of the functions chuli() that invokes sending of collected data to the attacker’s server). More details can be found on it’s description page
A visual demo of the malware running can be seen at http://www.youtube.com/watch?v=mDChxHnFnLw
Some exploration on the attacker’s server led to the discovery of another package of a similar kind.
A couple of differences between the two samples are highlighted below :
Application name and appearance : The name of the package present on the server is called ‘test’ and contains a message in Chinese (refer Fig3) as opposed to the english one (Fig2) for the package described above.
Call records collection : The server’s package doesn’t contain functionality to collect call records
Extra variable : The server package also contains an extra variable “passwd” initialized with value “hunan” but isn’t used anywhere in the code.
Fig3 : Different version of the malware found on the attacker’s server
Something worth pondering over is why the attacker’s chose to use the library ‘it.sauronsoftware.base64’ for Base64 encoding instead of using the standard Android library ‘android.util.Base64’ Any ideas?
Leave a reply