Thursday, 28 March 2013

SMS Trojans: all around the world

How SMS trojans works and how it affect our smart phones. Lets take a look.

I like researching and get knowledge about technology. Good and Bad parts of it and I found a strange thing about Android Device's Malware.

I found a good article about an SMS trojan at SecureList.com

There is an Application named "SuiConFo". Actually its a good application but someone has created the bogus app with same name which is popular in market. It looks like after installing.



There are 2 main malicious classes of this Trojan: ‘MagicSMSActivity.class' and ‘SMSReceiver.class'. The first is mainly responsible for sending SMS messages, while the second is used to hide incoming messages from specific numbers. As mentioned above, after launching this app shows an ‘Android version is not compatible' error message:



Right after displaying this message the Trojan will call the public method getSimCountryIso in the TelephonyManager class in order to retrieve the ISO country code of the SIM card:



After that, the malware defines the variables ‘s1' (SMS number) and ‘s2' (SMS text):



The list of countries consists of 8 options: France (81001 SMS number), Belgium (9903 SMS number), Switzerland (543 SMS number), Luxembourg (64747 SMS number), Canada (60999 SMS number), Germany (63000 SMS number), Spain (35064 SMS number), and the UK (60999 SMS number).

It looks like the virus writers made a mistake in the code. The Trojan will send an SMS message using the SmsManager class with the sendTextMessage method:
smsmanager.sendTextMessage(s1, null, s2, pendingintent, pendingintent1)
where ‘s1' is a number and ‘s2' is a text. These variables are defined correctly for all countries except Canada:


if(s.equals("ca"))
{
s1 = "SP";
s2 = "60999";
After defining the country and, therefore, the number and message text, the Trojan will send 4 SMS messages with the help of the sendTextMessage method as mentioned above.

SMSReceiver.class is responsible for hiding incoming SMS messages from particular numbers. If there is an incoming SMS message from one of the following numbers: 81001, 35064, 63000, 9903, 60999, 543, 64747, then the Trojan will try to hide it using the abortBroadcast method. The number itself is retrieved from the SMS message with the help of getDisplayOriginatingAddress.

There is another interesting thing lurking inside this malware. If you look at this part of the code:


you may notice that after hiding the incoming message (abortBroadcast) this Trojan will send one more SMS to a French cell phone number with the text stored in the ‘s' variable. And that ‘s' variable is defined with the help of the getMessageBody method when an incoming SMS message arrives.

In other words, the Trojan will send an SMS message to a French cell phone number with the text taken from a reply from a premium rate number. This may help the cybercriminals find out how many premium SMS messages have been sent.

Unfortunately, today SMS Trojans are one the easiest ways for cybercriminals to make easy money fast.

Only advise is do not to install any application just for try. Install only popular application from "Google Play Market" only. Do not install application directly i.e "APK" files.