contagio mobile: Android SMSSpy / SMSSender / Nopoc.A

Monday, May 13, 2013

Android SMSSpy / SMSSender / Nopoc.A

Sample credit: Jihong Park

Size: 253578
MD5: 74E09C5F57D5A040C86A86CDAD7F04FA

Download: (Email me if you need the pass scheme for the newer samples)

Virustotal results
https://www.virustotal.com/en/file/0f540a52242e6d97e12ad9d85e8523f9aee788ac8566284055e91155568da714/analysis/1368445857/

Comodo UnclassifiedMalware 20130513
F-Secure Trojan:Android/SmsSpy.O 20130513
TrendMicro-HouseCall TROJ_GEN.F47V0503 20130513
Kaspersky HEUR:Trojan-Spy.AndroidOS.SmForw.i 20130513
Avast Android:SMForw-K [Trj] 20130513
Fortinet Android/SmsSend.AM 20130513
AVG Android/ClickerAgent 20130513
Emsisoft Android.Trojan.SmsSpy.Q (B) 20130513
MicroWorld-eScan Android.Trojan.SmsSpy.Q 20130513
BitDefender Android.Trojan.SmsSpy.Q 20130513
GData Android.Trojan.SmsSpy.Q 20130513
Kingsoft Android.Troj.at_SmForw.e.(kcloud) 20130506
DrWeb Android.SmsForward.2.origin 20130513
CAT-QuickHeal Android.SmForw.B 20130513
Sophos Andr/SmsSend-AM 20130513
ESET-NOD32 a variant of Android/Spy.Nopoc.A 20130513

Risk summary

The studied DEX file makes use of API reflection

Permissions that allow the application to manipulate SMS

Permissions that allow the application to perform payments

Permissions that allow the application to access Internet

Permissions that allow the application to access private information

Other permissions that could be considered as dangerous in certain scenarios

Required permissions

android.permission.SEND_SMS (send SMS messages)

android.permission.READ_PHONE_STATE (read phone state and identity)

android.permission.RECEIVE_SMS (receive SMS)

android.permission.INTERNET (full Internet access)

Permission-related API calls

ACCESS_NETWORK_STATE

Landroid/net/ConnectivityManager;->getNetworkInfo(I)Landroid/net/NetworkInfo; called from Landroid/support/v4/net/ConnectivityManagerCompat;->getNetworkInfoFromBroadcast(Landroid/net/ConnectivityManager; Landroid/content/Intent;)Landroid/net/NetworkInfo;

Landroid/net/ConnectivityManager;->getActiveNetworkInfo()Landroid/net/NetworkInfo; called from Landroid/support/v4/net/ConnectivityManagerCompatGingerbread;->isActiveNetworkMetered(Landroid/net/ConnectivityManager;)Z

Landroid/net/ConnectivityManager;->getActiveNetworkInfo()Landroid/net/NetworkInfo; called from Landroid/support/v4/net/ConnectivityManagerCompatHoneycombMR2;->isActiveNetworkMetered(Landroid/net/ConnectivityManager;)Z

READ_PHONE_STATE

Landroid/telephony/TelephonyManager;->getLine1Number()Ljava/lang/String; called from Lcom/Copon/MainActivity;->onCreate(Landroid/os/Bundle;)V

VIBRATE

INTERNET

Ljava/net/URL;->openConnection()Ljava/net/URLConnection; called from Lcom/Copon/tool/Tool;->getHttpConnection(Ljava/lang/String;)Ljava/lang/String;

Lorg/apache/http/impl/client/DefaultHttpClient;-><init>()V called from Lcom/Copon/tool/Tool;->postHttpConnection(Ljava/lang/String; Ljava/lang/String; Ljava/lang/String; Ljava/lang/String;)Ljava/lang/String;

Lorg/apache/http/impl/client/DefaultHttpClient;->execute(Lorg/apache/http/client/methods/HttpUriRequest;)Lorg/apache/http/HttpResponse; called from Lcom/Copon/tool/Tool;->postHttpConnection(Ljava/lang/String; Ljava/lang/String; Ljava/lang/String; Ljava/lang/String;)Ljava/lang/String;

Main Activity

com.Copon.MainActivity

Activities

com.Copon.MainActivity

Services

com.Copon.clService

Receivers

com.Copon.SMS

Activity-related intent filters

com.Copon.MainActivity
actions: android.intent.action.MAIN
categories: android.intent.category.LAUNCHER

Receiver-related intent filters

com.Copon.SMS
actions: android.provider.Telephony.SMS_RECEIVED

Code-related observations

The application does not load any code dynamically

The application contains reflection code

The application does not contain native code

The application does not contain cryptographic code

Application certificate information

Application bundle files

AndroidManifest.xml
Android's binary XML

META-INF/CERT.RSA
data

META-INF/CERT.SF
ASCII text, with CRLF line terminators

META-INF/MANIFEST.MF
ASCII text, with CRLF line terminators

classes.dex
Dalvik dex file version 035

C2:
http:// 125.192.90. 17/tm/login.php