The situation surrounding attempted mobile malware infections is constantly changing, and I’d like to write about one recent trend. Over the last year, Trojan-SMS.AndroidOS.Stealer.a, a mobile Trojan, has become a leader in terms of the number of attempted infections on KL user devices, and now continually occupies the leading positions among active threats. For example, in Q1 2014 it accounted for almost a quarter of all detected attacks.
This SMS Trojan has actively been pushed by cybercriminals in Russia, and there have also been continual attempts to attack users in Europe and Asia. Infections with this Trojan have occurred virtually everywhere across the globe:
There is yet another factor – the configuration file – that suggests this Trojan targets users in various countries of the world. The Trojan determines which region it has been launched in, and modifies the content of the short text message and the recipient number accordingly. At the time of writing, Trojan-SMS.AndroidOS.Stealer.a was active in the following countries:
Trojan-SMS.AndroidOS.Stealer.a is nothing out of the ordinary. It spreads in the guise of a legitimate application and uses a set of functions which is standard for SMS Trojans.
- Stealer can receive and process the following commands from the C&C server:
- server – change C&C
- sms – send an SMS with data specified in the configuration file
- delete – delete incoming messages satisfying a mask, with a specified interval
- update – update the Trojan
- removeAllSmsFilters – delete SMS filters
- sendInfo – send information about the phone
- sendPackagesList – send a list of applications
- sendConfig – send the current configuration
- uninstall – uninstall a specified application
- notification – display a message in the notifications area
- inbox_sms_remote_log – enable message interception
- The Trojan is managed via HTTP. Two distinct C&C centers are used: one assigns tasks and the other receives results.
- Stealer uses modified BASE64 and GZip to encrypt data.
The Trojan includes an encrypted configuration file which is a JS script. Depending on what is in that file, the Trojan may perform the following actions immediately after it is loaded and launches:
- openUrl – open a web page (URL)
- getLat, getLng – get the device’s geographic coordinates
- setInboxSmsFilter – set SMS block mask
- disableInboxSmsFilter – disable SMS block mask
- doPayment – send SMS with a message and number specified in the configuration file
- installApp – install an application
- enableDebug – enable debugging
- disableDebug – disable debugging
- log – enable logging in logcat
- minimize – minimize the Trojan in the guise of the app it uses to spread (in background mode)
- exit – exit the application
- startHider – hide the application
- stopHider – restore the application
- enableAOS – enable hiding mode for confirmation messages
- addShortcut – add a shortcut to the Trojan to an OS desktop
- isAirplaneModeOn – check if Airplane mode is on
- isPackageExists – check if the mask application exists in the system
- sS – send an SMS to the specified prefix and number
- sDS – send an SMS after a delay
The attackers can therefore control the Trojan’s behavior by modifying its configuration file.
Surprisingly, the creators of the Trojan still use this setup whereby the configuration of Trojan-SMS.AndroidOS.Stealer.a is distributed along with the Trojan. Most Trojans like this are exclusively managed online. On the other hand, this approach helps keep Stealer operational when no Internet access is available.
We anticipate a further growth in the numbers of attempted infections involving Trojan-SMS.AndroidOS.Stealer.a . It’s quite likely that the attackers will reduce the configuration file to a bare minimum and will manage the Trojan online, at the same time maintaining its functionality.