It seems the Android trojan created some noise last week. So decided to have a quick look at it.Here is a very preliminary analysis of this sample.
This malware is not backward compatible. It is not installling in Android 2.0 platform. While I tried to install it in an emulator that runs on 2.0, it simply refused to install
Compatibility test
A quick look at the manifest file shows the receivers and the intent filters
Receivers and intent filters
You can see that the sample runs in background silently.
Remote command output
Also, a quick look at the app-state dump shows all the receivers in action. Also, the another variant was using a custom implementation of Base64 encoding to obfuscate the URLS.
Decoding the obfuscated URLS
Creating a simple script to reuse the decoding function used by the malware reveals the obfuscated urls:
instrumented output of the decoded URLs
Looks like the the mobile platform is becoming a hot target for the malware community. We could only see the trend going upwards in the forthcoming months.
cheers 🙂
Tags: Android Malware, Android/ADRD, Geinimi
February 21, 2011 at 1:33 pm |
Hello,
it’s possible to have an access to the malware, or a link the the chinese forum ?
February 21, 2011 at 4:54 pm |
Hi Anthony,
I got the link from the mobile.malware google group.
March 10, 2011 at 8:51 am |
Hi,
my name is Chandra, i’m a student from Indonesia.
Now, i’m doing a research about android malware.
btw, i’m so interested with your article. 🙂
i wanna ask something about the tools that you use to monitor the android malware.
I saw a ‘Remote Command’ windows in your article.
what tools is that?
and how do i get it?
thank you very much.
March 10, 2011 at 11:53 am |
Hi,
You can invoke process list command through Dalvik Debug Monitor. (ddms.bat). It is shipped with the default Android SDK.
Alternatively, you can also use the adb to open a shell and execute commands.
adb shell
ps -x