Are You Ready For Some Football?

Contributor: Masaki Suenaga

We certainly are! It is American football season and the Super Bowl is right around the corner. Apparently, so are the malware authors. It would not be the first time they took advantage of this sporting event. Back in 2007, the Dolphins (hosts for Super Bowl XLI) had their website compromised by links to malicious JavaScript. Several visitors looking up Super Bowl information on this site were hit with an exploit pack designed to attack their Web browsers and install hidden malware. Taking a page out of their playbook, Android malware authors this season bring us a fake version of the popular gaming franchise, Madden NFL 12. Being over 5 MB in size, it certainly looks like a game worth trying! Once installed, it will even display the following icon:

After the user launches the app, there is, unfortunately, no actual football or gameplay. However, this Trojan will contact premium rate numbers and even attempt to connect to an IRC server. After decompiling the APK, the following startup code can be found:

As can be seen from the code listing above, after extraction the malware will actually change the permissions of the picture file 'header01.png' to read, write, and executable. Upon closer inspection, this picture file is, in reality, an ELF binary which can be run on an Android device. This binary, once disassembled, reveals a functionality able to root the phone. Incidentally, this exploit works on an older version of Android: Android 2.3 (Gingerbread).

Once the user runs the app, it has full control of the device and will proceed to run 'footer01.png'. As before, looks can be deceiving: this image file is not an image file, but another ELF binary. This binary, however, does not attempt to root the phone. It instead acts as an IRC Bot. It will attempt to join the #andros channel to report back to its master(s). The following screenshot shows some of the strings embedded inside the PNG/ELF file:

As can be seen from the screenshot, the 'footer01.png' file will attempt to install another file called 'border01.png'. Unlike the other two previous files, this PNG file is actually another APK file and can be executed with the command shown above (second-last line above which contains "AndroidMeActivity").

The 'com.android.me' package contains two distinct actions: one to send text, and one to receive text. The 'AndroidMeActivity' class is used to send text to premium rate numbers. It does this by using the 'getSimCountryIso()' method to find the country the device is located in. Depending on what it finds, it will set the following information:

COUNTRY [NUMBER, MESSAGE]
Belgium ["3075", "CODE"]
Switzerland ["543", "GEHEN SP 300"]
Luxemburg ["64747", "ACCESS SP"]
Canada ["60999", "SP"]
Germany ["63000", "SP 462"]
Spain ["35024", "GOLD"]
Great Britain ["60999", "SP2"]
Morocco ["2052", "CODE"]
Sierra Leone ["7604", "PASS"]
Romania ["1339", "PASS"]
Norway ["2227", "PASS"]
Sweden ["72225", "PASS"]
United States ["23333", "PASS"]

It will then send a text to the premium rate number shown above corresponding to the country where the device is located. The 'SMSReceiver' class is then used to handle incoming text messages:

It will check incoming text messages to see if it came from one of the premium rate numbers previously set in 'AndroidMeActivity'. If so, it will then use the 'abortBroadcast()' method to block the incoming text message so it is not seen by the user. Instead, the Trojan will forward the message to hxxp://46.*.*.*/?=[PREMIUM RATE NUMBER]///[PREMIUM RATE NUMBER MESSAGE BODY] through a GET request.

The malicious code certainly did not take up over 5 MB of space. So where did the rest go? Checking the other assets in the original APK file, it turns out that there are 5 copies of the same following picture file with different names slightly above 1 MB each:

This Trojan is not the app you want to play Madden NFL 12 before the Super Bowl. To avoid becoming a victim of such malicious Android applications, you should only download and install from regulated Android marketplaces. By default, Android devices do not allow installation of applications from unknown sources (e.g. non-Market) and Symantec protects you by detecting this Trojan as Android.FoncySMS.

Android.Geinimi Branching Out to Japanese Applications

In some recent blog postings by Irfan Asrar, we discussed how a number of legitimate Android applications have been “Trojanized” in order to include “backdoor” functionality and are then published on unregulated Android marketplaces. In the past, we have seen a number of English and Chinese language Android applications being Trojanized and placed on unregulated Android marketplaces. Up until now, however, we have not seen any Japanese language Android applications being manipulated in this manner. This is no longer the case, since we have found a Trojanized Japanese language Android application on an unregulated Android marketplace. Symantec detects this malicious Android application as Android.Geinimi. The following image is the start picture of the application:
 

The legitimate version of the application is sold at 525 yen (approx. $6 US) on the proper regulated Android marketplace. It allows you to do "push-up", "sit-up", and "squat" exercises with an anime character. The legitimate and Trojanized versions of the Android application may appear identical, but the “Trojanized” version has Android.Geinimi running in the background and is transmitting information from the device to a remote location. The access permissions required during installation also differ. The following images show the access permissions required by the Trojanized version of the application during installation:
 

Whereas the proper access permissions required by the legitimate Android application (according to the regulated Android marketplace) are shown in the following image:
 

The presence of Trojanized versions of legitimate Android applications on unregulated Android marketplaces is a growing problem. Increasing demand for content, along with the absence of official marketplace outlets in certain regions, is fueling the growth of unregulated marketplaces. In turn, these marketplaces are becoming the perfect incubator and propagation engine for threats such as Android.Geinimi. To avoid becoming a victim of such Trojanized Android applications, Symantec recommends that you only use regulated Android marketplaces for downloading and installing Android applications. Also, in the Android OS application settings there is an option to stop the installation of non-market applications, which can help to prevent against this type of attack. Checking user comments on the marketplace can also assist in determining if the application is safe. Lastly, during the installation of any Android applications, always check the access permissions being requested for installation. If they seem excessive for what the application is designed to do, it would be wise to stop installing the application.