Android Malware Acts as an SMS Relay
I have seen Android malware deleting SMS messages, I have seen Android malware sending SMS, but this is the first time I have seen an Android malware act as an SMS relay.
My colleagues and I were recently able to handle a sample of an Android malware that uses an infected device as a proxy for sending and receiving messages. Unlike most Android-specific threats we have seen recently, this one does not piggyback on legitimate Android apps. Once installed, it displays a blank window for a split second and then close it immediately.
This malware installs a service called “FlashService”. It employs two receivers called “FlashReceiver” and “SMSReceiver” which are triggered after boot up and when an SMS is received, respectively. “FlashReceiver”, which is run after booting up, starts the “FlashService”. Receivers are functions that are executed when a specific Intent is received. For simplicity, think of Intent as an event. When an SMS is received, the OS will broadcast this event triggering the execution of all functions that are supposed to be executed every time the event occurs.
The “FlashService” service is responsible for communicating with its server. As mentioned, it executes once the device boots up, and connects to a certain URL in order to download an XML configuration file.
Below is the code of the XML configuration file being received at the time of writing:
One interesting entry in the configuration file is the “send” element. Currently, the server does not put any information in it. However, when I looked into the code of the malware, it appears to accept a mobile number in the “number” attribute and a string in the text content.
What happens here is, when the malware author encodes something like “This is an SMS message” in the configuration file, the malware will send the message “This is an SMS message” to that number. Any text contained in the said element will be used as the body of the SMS body and the number in the “number” attribute will be the recipient.
However, this only sends messages one way. In order to act as a relay, it should also be able to forward the SMS message when the recipient replies. This is where “SMSReceiver” comes in. The SMSReceiver checks if the sender of the SMS message is the same as the one in its configuration file. If it is, it will get the SMS body and then send it to its server via the URL in the “insms” element in the configuration file. After posting, the SMS message is deleted so the user of the affected device will not see it.
The way I see it, this malware may be used for three particular reasons: first, it can be used to abuse premium services. The malware author can command the backdoor to enroll the affected device on a specified premium service. The user will not have any idea that It has already been enrolled since the SMS notifications from the said service are also deleted by the malware.
Second, it can be used to spy on the targeted device. The malware author can set a specific number. Once an SMS message is received from that number, the SMS body is uploaded to its server. Lastly, it can be used as an SMS relay (like a proxy server for SMS). The malware author can send and receive SMS messages through the affected device.
How to manually check if you are infected:
Go to Settings>Applications>Running Services. Check for the existence of an application with “FlashService” as its service, and “com.flashp” as its process.
If found, users can manually remove the malware from their system by going to Settings>Applications>Manage Applications, and then uninstall the said application.
For more information on how to better prevent Android threats, you may refer to our comprehensive report “5 Simple Steps to Secure Your Android-Based Smartphones.”
Leave a reply