Archive for February, 2013

Analysis of recent android malware discovered in the app store

February 12, 2013

Earlier last week, a new piece of malware was discovered by the Kaspersky lab researchers in the official Android market. This malware was named as “AndroidOS.Ssucl.A”. This new family of the mobile malware employs a new attack vector through which it can not only infect the smart phones but also spread a malicious backdoor Trojan to the Windows workstations that the infected smart phone gets connected through a USB cable.
In this blog post, I will discuss on how this Malware accomplishes its tasks

What does it do?

The malware uses the time-proven strategy of social engineering as the vector to sneak into the victim device. It claims itself as a handy utility application which is supposed to improve the performance of the Android smart phones by “clean-up” of the device.

If an unsuspecting user chooses to download and install this malware, it prompts for a series of permissions to be authorized by the user during its installation. Once the “app” successfully installs, it registers a background service that will be started every time the device boots up.

The malicious service is responsible for opening a backdoor with the Command & Control server. Through this backdoor channel, the attacker can issue 20 commands which are currently supported by this piece of malware among those most of the commands will result in significant issues for the victim. We will discuss more about the functionalities of these commands in the next section.

How does it do?

The malware app registers a broadcast receiver to get notified every time the device boots up. Fig.1 shows the snippet of the manifest where the receiver is registered.


Fig.1: The BroadcastReceiver

This receiver is responsible for starting the malicious background service every time the device boots up.

Starting the malicious service

Starting the malicious service

The malicious service opens a backdoor and handshakes with the Command & Control server’s port number 9999 and starts a worker thread that waits for the attack commands from the attacker. Fig-3 illustrates the infinite loop and determines what command to execute based on the communication received from Command&Control server.

Code snippet interpreting the commands from the attacker

Code snippet interpreting the commands from the attacker

Currently, the malware supports 20 commands as shown in the fig.4.

List of 20 commands supported by the malware

List of 20 commands supported by the malware

The definition of what each command is supposed to do is implemented in the “Tools” component. If the attacker sends a message “SMS <destination_number> <message>”, the sample will send SMS to the destination_number specified with the <message>. Similarly GET_PICS command will traverse the pictures in the victim device  and upload them to the remote website.

Fig.5 shows the code snippet of the implementation of the attack commands.

command implementation

command implementation


One of those 20 commands called “USB Autorun_attack” introduce a new attack vector to the mobile malware that provides the capability to infect the windows workstation when connected through a USB cable and used in “mass-storage” mode. Even though the attack vector is less sophisticated and old, it got the lime-light because its first of its kind for an Android malware to be equipped with this.

Fig-6. Shows the snippet of the command implementation code of how this command “USB Autorun_attack” will be interpreted by the malware.

USB autorun

USB autorun

Common design aspects across the variants:

Among the few variants found in this family, it is noticed that the UI Patterns are common across all of them along with the common functionalities.


It employs “List Menu” as its primary navigation pattern ( a variant of Springboard pattern) across the variants.


Google has controlled the malware activity in the official store consistently over the period of time. However once in a while such incidents happen. It is general advise for the users to only use official market for staying safe. However in this case, the users must also get awareness about such incidents and should do a careful review of other aspects of the applications such as the developer profile, review comments, etc., Even though this would be a tough ask for a normal user, with the increased monetization associated with online fraud, it is important for the user to get good infosec awareness along with having a solid security suite to protect their device.