Blog

Android Mobile: Following In the Windows Footsteps

FireEye discovered an email spam campaign, currently ongoing, which is dropping the well-known Android malware Android FakeDefender. Looking through our Dynamic Threat Intelligence (DTI) platform, we believe that this campaign started on the 6th of September.

Vector of Propagation
FireEye Labs has identified emails that are being used as part of this campaign. Below are some of the emails we noticed serving this malware. Once the user clicks on the link in the email from an Android device, the apk gets downloaded.

ad1

androiddefender

The HTTP request below shows the apk getting downloaded.

fakedefenderdownload

Looking through urlquery.net we found more URL patterns. Below is a list of URLs from urlquery. Some of these are alive and still serving the malicious APK called LabelReader.apk.

hxxp://nevipoteka.ru/info.php?inv=lcoiyEL1bIhu8o1JaMK+WpOY+h4l5Yxtx8XmWQupybo=
hxxp://dollarsinside.com/info.php?inv=XG2Pd9DwOPLOR1o7vu1wtlL/b+ad2zzBTx20QFwRLSM=
hxxp://www.mlduggan.com/info.php?inv=Ow9OFasfwWwMqRFwjvOk3fqCUA5OPtK/zfrPUZWMyCc=
hxxp://ognem.com/info.php?inv=lWQU6LDjSX5eDcAsssVfP+2fXTjPcSfQ9idDy73WFSw=
hxxp://atumedidamexico.com/info.php?inv=ihRkTMeIi1S9jUth00u666DzA4WsKWVQXhQz0HjErkk=
hxxp://rattlerig.com/info.php?inv=dBnwL+hl8Vatj8sgJb/TmBlOGr1jhi42yzfEdfCpdY4=
hxxp://rattlerig.com/info.php?inv=dBnwL+hl8Vatj8sgJb/TmBlOGr1jhi42yzfEdfCpdY4
hxxp://adsgrp.ru/info.php?inv=7YbfjMZHjGRe3O23Tt0fkTSOtLbFe7jitsEK/wM+4w8=
hxxp://savvats.com.ua/info.php?inv=hkzvBdFBVtl3GmXcBtD3/lefT/68GLwxTt9FUdXqDQ8=
hxxp://savvats.com.ua/info.php?inv=hkzvBdFBVtl3GmXcBtD3/lefT/68GLwxTt9FUdXqDQ8=
hxxp://itslyrical.com/info.php?inv=n4SZ6GlJRMRUezSiPyhIwPrm61Al7MkpH3q
hxxp://itslyrical.com/info.php?inv=n4SZ6GlJRMRUezSiPyhIwPrm61Al7MkpH3q
hxxp://ognem.com/info.php?inv=lWQU6LDjSX5eDcAsssVfP+2fXTjPcSfQ9idDy73WFSw=
hxxp://extmariateresa.com/info.php?inv=naRguhL6AWDcq8fAIr3Az9J6sc6u6/sTT5CHiPNTr0M=
hxxp://arttarasovka.com/info.php?inv=P+8jfMhCoZSzyHlqDtZcZOE/Tbf8FFgmQfUzRydmuro=
hxxp://medinswiss.com/info.php?inv=7h8ziLVxq6NWN8zyDmLt8/djABTVP5HOXqXyb10qZRQ=
hxxp://kon-tikiresor.se/info.php?inv=Q38dxddbpU38yP6Bx/5Y/FI8UJJXS+UoLN7a/60utY0=
hxxp://mdcmobiledetailing.com/info.php?inv=wj79Lv/a27Q9gjd1+p9lrhEgM2q3ONKTYm/27eTH4uU=
hxxp://scarlet-studio.ru/info.php?inv=kctRLB8CKoCt1VryOnzd7F0Mk5/hd9gWVKIDSImRZ20=
hxxp://expertnaya-ocenka.ru/info.php?inv=cHsQAbgtzB8VftHKb4gzgMMjHwAZyyp57JtRiFwdlSU=

Querying our DTI platform, we noticed several infections on PCs that matched the same URI format, in some cases even the domain names matched. Below is one such example. The domains used in Figure (1) and in the header below are the same, but notice how using different User-Agents, the malicious object being served is different. With the Windows UA below, the web server serves a malicious zip file called “Wedding_Invitation_Chicago.zip”, while in Figure (1) it is serving a malicious apk called LabelReader.apk. The windows malware that is dropped belongs to the Kuluoz family.

 

 GET /info.php?inv=rfsAMxzaZ3e/2dNPAiNqlEwlcnFK6koNSI5sm0xUgw0= HTTP/1.1
Accept: text/html, application/xhtml+xml, */*
Accept-Language: en-US
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)
Accept-Encoding: gzip, deflate
Host: expertnaya-ocenka.ru
Connection: Keep-Alive

HTTP/1.1 200 OK
Server: nginx/1.0.6
Date: Fri, 06 Sep 2013 13:07:20 GMT
Content-Type: application/octet-stream
Connection: keep-alive
X-Powered-By: PHP/5.2.10
Content-Disposition: attachment; filename=Wedding_Invitation_Chicago.zip
Content-Length: 34014

Malware Analysis
This is not a new malware and Sophos has a pretty good analysis of this apk (http://nakedsecurity.sophos.com/2013/05/31/android-malware-in-pictures-a-blow-by-blow-account-of-mobile-scareware/). The malware deceives users into paying for cleanup of other non-existent infections on their device. In addition to displaying fake messages of infection, the APK also has the functionality to intercept incoming and outgoing phone calls as well as messages. The md5sums of the two samples we analyzed were:

c4fa8763150cb35d7ee0bfe4bcb3f69b
7e274cac063fe2bc7c52c0a7ee00a02a

The malicious android apk registers two broadcast receivers

a) com.worker.androiddefender2.CallReceiver
b) com.worker.androiddefender2.MessageReceiver

As the names of the receivers suggest, the CallReceiver is responsible for intercepting incoming/outgoing calls, while the MessageReceiver intercepts incoming SMS only.

The CallReceiver listens for the android.intent.action.NEW_OUTGOING_CALL  intent. Once it receives this intent, it queries the extras of the intent to get the phone number. It maintains a local SQLITE DB called AndroidDefenderLite.db, which it queries to check if the outgoing number is present in the database or not. The phone number is sanitized before it is used in the query.

It also listens to an incoming phone call. It does this by listening to the android.intent.action.PHONE_STATE and checks for the EXTRA_STATE_RINGING. This notifies it of an incoming call. It follows the same process of checking if the number exists in the DB. In addition to this it also has the ability to end incoming calls. It does this by executing the following code.

const-string  v13,”getITelephony”
const/4 v14,0
new-array v14,v14,[Ljava/lang/Class;
invoke-virtual  {v1,v13,v14},java/lang/Class/getDeclaredMethod  ; getDeclaredMethod(Ljava/lang/String;[Ljava/lang/Class;)Ljava/lang/reflect/Method;
move-result-object  v5
l60f40:
.line 88
const/4 v13,1
invoke-virtual  {v5,v13},java/lang/reflect/Method/setAccessible ; setAccessible(Z)V
.line 89
const/4 v13,0
new-array v13,v13,[Ljava/lang/Object;
invoke-virtual  {v5,v12,v13},java/lang/reflect/Method/invoke  ; invoke(Ljava/lang/Object;[Ljava/lang/Object;)Ljava/lang/Object;
move-result-object  v13
check-cast  v13,com/android/internal/telephony/ITelephony
move-object/from16  v0,v18
iput-object v13,v0,com/worker/androiddefender2/CallReceiver.telephonyService Lcom/android/internal/telephony/ITelephony;
.line 91
move-object/from16  v0,v18
iget-object v13,v0,com/worker/androiddefender2/CallReceiver.telephonyService Lcom/android/internal/telephony/ITelephony;
invoke-interface  {v13},com/android/internal/telephony/ITelephony/endCall ; endCall()

The MessageReceiver works in a similar fashion, except that it listens to the android.provider.Telephony.SMS_RECEIVED intent. It registers this receiver with a priority of 999, giving it first priority to access incoming SMS messages.

The schema of the SQLITE db that the malware uses is below.

$ sqlite3 assets/AndroidDefender.sqlite
SQLite version 3.6.22
Enter “.help” for instructions
Enter SQL statements terminated with a “;”
sqlite> .tables
android_metadata  black_list        scan_settings     viruses_index
sqlite> .schema
CREATE TABLE “android_metadata” (“locale” TEXT DEFAULT ‘en_US’);
CREATE TABLE black_list (id INTEGER PRIMARY KEY, number varchar(255), call BOOL, sms BOOL);
CREATE TABLE “scan_settings” (“id” INTEGER PRIMARY KEY  AUTOINCREMENT  NOT NULL , “scan_app” BOOL, “scan_sd” BOOL, “auto_scan” BOOL, “scan_mond” BOOL, “scan_tues” BOOL, “scan_wedn” BOOL, “scan_thurs” BOOL, “scan_fridei” BOOL, “scan_satur” BOOL, “scan_sand” BOOL);
CREATE TABLE “viruses_index” (“id” INTEGER PRIMARY KEY  AUTOINCREMENT  NOT NULL , “virus_id” INTEGER, “cured” BOOL);

 

Conclusion
Before the advent of advanced malware, we used to see a bunch of fake AV on the windows platform. I speculate that the same thing will happen in the case of Android malware, where eventually we will start seeing more serious and advanced techniques being employed in mobility.

To protect yourself from malicious Android applications, please follow these simple steps:

  1. Disable the “Allow installation of apps from Unknown Sources” setting.
  2. Always install apps from trusted app markets.

Special thanks to FireEye researchers Alex Lanstein and Josh Gomez for helping out on this blog.