The Latest in IT Security

Android malware gets phish-y


Last week the security world was abuzz with news of a new attack vector for mobile attacks. The malware was sent to the accounts of Tibetan human rights advocates and activists from the hacked account of one of the activists regarding the the World Uyghur Congress (WUC) Conference that took place in Geneva from 11-13 March, 2013.

What made the piece of malware particularly interesting was the targeted nature of the attack, once again highlighting the political aspect of cyber warfare and making us question whether governments and legitimate organizations could be the source of such attacks.

The advent of smartphones and subsequently, mobile malware, provides attackers with the opportunity to exploit an all-in-one spying solution. The fact that most phones these days come equipped with a microphone, a camera, a GPS and internet access basically provides an attacker with all the resources that might be required to spy on someone.

The malware behaviour is explained below :

When installed, the victim sees an application called ‘Conference’ in the main menu (as seen in Fig1)

Android Chuli Icon Fig1 : Conference application

Launching the application results in a screen as seen in Fig2 with a message regarding the turnout at the WUC conference.

Android Chuli A Main1 Fig2 : Application’s main screen

These are the only visible signs of the application seen by the end-user. The main malicious activity of the application takes place in the background, hidden from the victim.

It gathers data such as SMS information, phone and SIM contacts, location information and call records from the victim’s phone and sends it to the attacker’s server. This sending is invoked when an SMS message with the corresponding keyword is received. It also monitors incoming SMS messages and forwards them to the attacker’s server as and when they are received.

Fortinet detects this malware as Android/Chuli.A!tr.spy (named after one of the functions chuli() that invokes sending of collected data to the attacker’s server). More details can be found on it’s description page

A visual demo of the malware running can be seen at

Some exploration on the attacker’s server led to the discovery of another package of a similar kind.

A couple of differences between the two samples are highlighted below :

  • Application name and appearance : The name of the package present on the server is called ‘test’ and contains a message in Chinese (refer Fig3) as opposed to the english one (Fig2) for the package described above.

  • Call records collection : The server’s package doesn’t contain functionality to collect call records

  • Extra variable : The server package also contains an extra variable “passwd” initialized with value “hunan” but isn’t used anywhere in the code.

Android Chuli A Main2 Fig3 : Different version of the malware found on the attacker’s server

Something worth pondering over is why the attacker’s chose to use the library ‘it.sauronsoftware.base64’ for Base64 encoding instead of using the standard Android library ‘android.util.Base64’ Any ideas?

Leave a reply



Mission-Critical Broadband – Why Governments Should Partner with Commercial Operators:
Many governments embrace mobile network operator (MNO) networks as ...

ARA at Scale: How to Choose a Solution That Grows With Your Needs:
Application release automation (ARA) tools enable best practices in...

The Multi-Model Database:
Part of the “new normal” where data and cloud applications are ...



Latest Comments