The malicious application is in contact with a remote C&C from which it gets an XML configuration file which contains the commands the C&C wishes the bot to perform.
In particular, the XML send tag makes the infected mobile phone send an SMS to a specified phone number with a specified body. Then, this phone number is added to a list of phone numbers for which the malicious application must act as a relay: when the specified phone number replies (by SMS), the answer is automatically forwarded to a URL mentioned in the XML insms tag.
Precisely, the malware does an HTTP POST to that URL with a serialized JSON object carrying an informative pair “insms” and the body of the SMS answer.
So, the infected phone acts a SMS relay between some phone numbers and the C&C. Mark Balanza suggests interesting motivations to do so. Read the “possible motive” section of his post.
Besides this SMS-relaying functionality, I would like to investigate other functionalities the malware exposes:
- url: when the malware starts, it sends an HTTP POST, with a JSON object containing the pair “sms”/”true”, to the specified URL.
- delete: the samples I analyzed do not seem to include the code to process this command (yet), but, from its syntax, we can easily assume this command removes the specified phone number from the list of phone numbers to do SMS relay for.
- listapp: the malware posts a list of all installed applications on the device.
- clean: additionally, the malware is able to uninstall a given application remotely. This is similar to Google’s remote Kill Switch, but controlled by attackers…
- update: automatically visits the specified URL if the current version of the malware is different from the one specified in the configuration file.
Are the listapp / clean features the early sign of mobile malware trying to remove AV software or competing bots (just like Bagle or MyDoom in 2004)?
Thanks to Trend Micro for sharing this sample.
– the Crypto Girl
Leave a reply