12345

4/18/2012

[Issue] Zombie phone on calling for Korean user?


1. Introduction


INCA Internet response team announced malicious file report about containing bot function.
Damage case of this kind of Android malicious files hasn't been reported so far, though; this malicious file can work as a Zombie phone which can perform data breach and remote control.
Especially, this malicious file can check Korean APN(Access Point Name) and has a possibility of spreading its infection range to Korea.


- Check Korean APN
- Zombie phone can breach your data
- DDoS Attack, Spreading malicious spam, Record voice call

[Caution] Real case of spreading Android malicious file
http://en-erteam.nprotect.com/2012/04/caution-real-case-of-spreading-android.html

[Information] Automatic detection and analysis system of malicious Android application 
http://en-erteam.nprotect.com/2011/12/information-automatic-detection-and.html

2. Spreading cases and symptom of infection

Android malicious applications are spreading via 3rd party market, various black markets, and even on Google official market. Opened platform is a merit of Android, however; various security threats can be menace. In case of this malicious application was come from Chinese unofficial Android market.



Install phase

This malicious application needs various permissions as following.



Permissions

- android:name="android.permission.READ_PHONE_STATE"
- android:name="android.permission.MODIFY_PHONE_STATE"
- android:name="android.permission.CALL_PHONE"
- android:name="android.permission.PROCESS_OUTGOING_CALLS"
- android:name="android.permission.RECORD_AUDIO"
- android:name="android.permission.CAMERA"
- android:name="android.permission.MODIFY_AUDIO_SETTINGS"
- android:name="android.permission.READ_CONTACTS"
- android:name="android.permission.WRITE_CONTACTS"
- android:name="android.permission.RECEIVE_BOOT_COMPLETED"
- android:name="android.permission.SEND_SMS"
- android:name="android.permission.RECEIVE_SMS"
- android:name="android.permission.READ_SMS"
- android:name="android.permission.WRITE_SMS"
- android:name="android.permission.INTERNET"
- android:name="android.permission.ACCESS_COARSE_LOCATION"
- android:name="android.permission.ACCESS_FINE_LOCATION"
- android:name="android.permission.ACCESS_LOCATION_EXTRA_COMMANDS"
- android:name="android.permission.ACCESS_MOCK_LOCATION"
- android:name="android.permission.UPDATE_DEVICE_STATS"
- android:name="android.permission.WAKE_LOCK"
- android:name="android.permission.DEVICE_POWER"
- android:name="android.permission.WRITE_SETTINGS"
- android:name="android.permission.DISABLE_KEYGUARD"
- android:name="android.permission.WRITE_EXTERNAL_STORAGE"
- android:name="android.permission.READ_LOGS"
- android:name="android.permission.KILL_BACKGROUND_PROCESSES"
- android:name="android.permission.RESTART_PACKAGES"
- android:name="android.permission.ACCESS_NETWORK_STATE"
- android:name="android.permission.WRITE_APN_SETTINGS"
- android:name="android.permission.BLUETOOTH"

This malicious application uses its main icon as same as Google's. It doesn't have its executing icon, however;

We can find on "Settings" -> "app" -> "manage"

 



Analysis of malicious function

This malicious application doesn't have its run icon and only runs on background.

Malicious functions


- Perform as a Bot
- Monitor SMS
- Collect information(IMEI, IMSI, GPS)
- Sends SMS to attacker(Premium service)
- Record voice call
- Capture screen
- Check APN(Access Point Name)
- Try to quit certain package
- Try to reboot on condition

- Perform as a Bot and Monitor SMS

In case of Bot function, it can be performed on certain condition(string).


When certain SMS is received, code will work and check condition and perform malicious function..

- Collects information

This malicious file collects IMEI, IMSI, and GPS with following code.


Besides, collected information will be sent to certain site after being XML parsed.

- Sends SMS to attacker

This malicious application sends SMS including collected information and run status of code.


With this code above, it removes send history itself. User can't recognize its sending status.

- Record voice call

This malicious application check voice call status with listener after being infected, and it records voice call on certain condition as a .amr file.


- Capture screen

This malicious application registers malicious service and tries to capture screen as a .jpg.


- Check APN(Access Point Name)

This malicious application checks APN and settings with following code.

APN(Access Point Name)

- Access Point Name (APN) is a configurable network identifier used by a mobile device when connecting to a GSM carrier. The carrier will then examine this identifier to determine what type of network connection should be created, for example: what IP addresses should be assigned to the wireless device, what security methods should be used, and how or if, it should be connected to some private customer network.


Parsed XML contains various APNs including Korean APN(web.sktelecom.com, ktfwing.com).

APN address on this app

[China]
- http://mmsc.monternet.com
- http://mmsc.myuni.com
- http://www.wo.com.cn
- http://mmsc.vnet.mobi
- http://mms.emome.net

[Taiwan]
- http://mms.catch.net.tw
- http://mms.kgtmms.net.tw/mms/wapenc

[Hongkong]
- http://mms.peoples.com.hk
- http://mobile.three.com.hk
- http://3gmms.pccwmobile.com
- http://mms.smartone-vodafone.com

[Korea]
- http://always.ktfwing.com
- http://mmsc.ktfwing.com
- web.sktelecom.com
- smart.nate.com
- http://omms.nate.com


- Try to quit certain package

This malicious application can kill on certain application with this following code.


However, this API works on SDK 2.1 or lower version.

- Try to reboot on condition

To work completely, this malicious application needs to be rebooted. "android.permission.REBOOT" can work rooted phone only.


3. How to prevent

This malicious application tested on Android phone in Korea. But it didn't perform all malicious functions.

Test environment

- GalaxyS (Gingerbread or higher)
- GalaxyS2 (Gingerbread or higher)
- Nexus one (Gingerbread or higher)

To use smartphone safely from security threats of these malicious applications, we recommend following tips "Smartphone security management tips" for general users.

Smartphone security management tips

1. Use anti-virus SW from believable security company and keep updating the latest engine and using real time detecting function
2. Download the proven application by multiple users at all times.
3. Use mobile anti-virus SW to check downloaded application before using it.
4. Do not visit suspicious or unknown site via smartphone.
5. Try not to see MMS, text, e-mail from uncertain user.
6. Set strong password on smartphone always.
7. Turn the wireless interfaces like Bluetooth only be used.
8. Do not save important information on phone.
9. Do not try illegal customizing like rooting or jailbreak.

INCA Internet (Security Response Center / Emergency Response Team) provides diagnosis/treatment function with "nProtect Mobile for Android" for mobile such as malicious file stated above and runs responding system against various security threats.

2 comments:

  1. telephone voice recording system

    Excellent Blog every one can get lots of information for any topics from this blog nice work keep it up.

    ReplyDelete
  2. Visit this source http://spying.ninja/mspy/to get even more understanding how does the malware works and how to protect yourself from being hacked.

    ReplyDelete