Archive for April, 2011

Android SMS Flooder app analysis

April 21, 2011

I just received a sample from a friend of mine to have a quick look at it. This sample is being detected by few AV vendors.

What does it do?

The sample is a very transparent application. It does not have any hidden agenda.It clearly mentions what it does. It floods a destination with a given message by sending ‘N’ number of message to the same number.

Installed in emulator

Installed in emulator

Invoking the application, provides a friendly interface to flood the messages.

Interface to flood SMS

Interface to flood SMS

As mentioned, it is very transparent and it gives a clear Warning message before startring the SMS flooding.

Warning message

Warning message

Cheers šŸ™‚

Advertisements

Reverse engineering AndroidOS/Walkinwat Trojan

April 5, 2011

Earlier last week, Symantec has discovered a Trojan targetting Android platform that was supposedly designed to tackle pirated app users a hard lesson. The dynamic analysis of this Trojan is not very much interesting as we have seen many Trojans that sends SMS. This article focuses on highlighting code level details of the payload of the Trojan.

A look at the Manifest file:

The manifest file looks very familiar. Two interesting point to lookout is the permission to send SMS and permission to read Contacts at line no: 22 and 23 respectively.

AndroidManifest_permissions

AndroidManifest_permissions

Fig.1: Manifest file highlighting the permission to send SMS and read contacts.

The LicenseCheck activity:

This class is responsible for reading the contacts stored in the device and sending them the SMS without user consent with a defamatory message about the owner of the device. This class is also responsible for doing HTTP Post of the data collected from the device. However the owner of the website has publicly claimed that their website has no intention of collecting these data and this is solely done to create a negative publcity about them.

The Walkinwat Trojan is using multithreading to send the SMS to the contacts.

Fig.2 shows the code snippet of LicenseCheck class. At line no:36, the URI is assigned the value of Contacts.Phones.CONTENT_URI and it is subsequently used by a ContentResolver object to get a cursor of contacts stored in the mobile device.

At line no:54 and 55 a Thread is created in each iteration (every iteration processes a contact number) and the thread object is fed with the current contact number and the thread is started.

The class named ā€œCā€ which is part of the Walkinwat extends the Thread class to provide support for Multithreading.

Code snippet that reads contacts and starts threads

Code snippet that reads contacts and starts threads

Fig.2: code snippet of the activity that is responsible for reading the contacts and starting threads

A closer look at the Thread procedure:

A quick background info, in Java a Thread can be created either by subclassing the java.lang.Thread or by implementing java.lang.Runnable interface. In this case a class named ā€œCā€ is designed as a subclass of Thread. The code that needs to be executed by the thread is defined in the callback method public void run().

Thread definition

Thread definition

Fig.3: code snippet of the callback method run(). The thread procedure

As discussed earlier, in the every iteration of processing the contacts the LicenseCheck class creates a new thread and passes the value of the current contact and starts the thread. Once the thread is started, the run() method gets triggered whenever the thread gets scheduled. In the run method at line no:44, you can see that a Text message is sent to the contact with the text that mocks the user of pirated applications.

Cheers šŸ™‚