Jump to content
Nytro

Dissection of Android malware MouaBad.P

By Nytro, in Reverse engineering & exploit development

Recommended Posts

Nytro Mentor

Nytro

Posted
Posted

Dissection of Android malware MouaBad.P

In Zscaler’s daily scanning for mobile malware, we came across a sample of Android Mouabad.p. Lets see what is inside.

Application static info:

Package name = com.android.service

Version name = 1.00.11

SDK version: 7

Size: 40 kb

Permissions:

  • android.permission.INTERNET
  • android.permission.ACCESS_NETWORK_STATE
  • android.permission.READ_PHONE_STATE
  • android.permission.SET_WALLPAPER
  • android.permission.WRITE_EXTERNAL_STORAGE
  • android.permission.MOUNT_UNMOUNT_FILESYSTEMS
  • android.permission.RECEIVE_SMS
  • android.permission.SEND_SMS
  • android.permission.RECEIVE_WAP_PUSH
  • android.permission.READ_PHONE_STATE
  • android.permission.WRITE_APN_SETTINGS
  • android.permission.RECEIVE_BOOT_COMPLETED
  • android.permission.WAKE_LOCK
  • android.permission.DEVICE_POWER
  • android.permission.SEND_SMS
  • android.permission.WRITE_APN_SETTINGS
  • android.permission.CHANGE_NETWORK_STATE
  • android.permission.READ_SMS
  • android.permission.READ_CONTACTS
  • android.permission.WRITE_CONTACTS
  • android.permission.CALL_PHONE
  • android.permission.INTERNE
  • android.permission.MODIFY_PHONE_STATE

Used features:

  • android.hardware.telephony
  • android.hardware.touchscreen

Services:

  • com.android.service.MessagingService
  • com.android.service.ListenService

Receivers:

  • com.android.receiver.PlugScreenRecevier
  • com.android.receiver.PlugLockRecevier
  • com.android.receiver.BootReceiver
  • com.android.receiver.ScreenReceiver

Virustotal scan:

https://www.virustotal.com/en/file/1b47265eab3752a7d64a64f570e166a2114e41f559fa468547e6fa917cf64256/analysis/

Now Lets dissect the code.

Mouabad1.png

This application is using telephony services as shown in the code as well as in static analysis. You can see the use of premium telephone numbers.

Moubad2.png

In this particular screenshot, you can see functions which are using phone services for making calls to the premium numbers in order to generate revenue as the numbers would be controlled by the attackers and earn a small payment for each call made.

Moubad4.png

Here you can see that the application is harvesting SIM card information.

Moubad5.png

Moubad6.png

This application also checks for mobile data and the WIFI network status to determine if Internet connectivity is available.

Moubad7.png

The code includes a hardcoded list of premium telephone numbers, which are all located in China.

Moubad8.png

In this screenshot you can clearly see that application also keeps watch on the screen and keyguard status (on/off).

This screenshot clearly denotes that the application tries to send SMS to the premium rate numbers previously seen in the code. Forcing Android applications to initiate calls to premium phone numbers controlled by the attackers is a common revenue generation scheme that we see, particularly in Android application distributed in third party Android app stores.

Moubad10.png

Here you can see various function names which are suspicious such as call, dial, disableDataConnectivity, get call location, etc. These functions suggest that the application is also trying to keep watch on other phone calls too. Function getCallstate, endCall, Call, CancleMissedCallNotification Illustrates that the application tries to control phone call services.

The application installs itself silently. Once installed, no icon is observed for this app. Also shown in the previous screenshot is the fact that the application waits for the screen and keyguard events before triggering its malicious activity. It does all of the activity without user intervention. This allows the malware to function without a suspicious icon on the home screen that just one of technique used by malware authors to evade its presence to the device owner.

Moubad12.png

Moubad13.png

From above screenshots, you can see that the application is using the XML listener service. Also, in the second screenshot, you can see that the application is trying to create a URL by assembling various strings. This is likely command and control (C&C) communication sent to a master server. The parameter &imei denotes the harvesting of the phone's IMEI number for tracking the device.

In conclusion, this malware will defraud the victim by silently forcing the phone to initiate premium rate SMS billing to generate revenue. The application may give control to the author for monitoring or controlling phone calls.

Reference:

https://blog.lookout.com/blog/2013/12/09/mouabad-p-pocket-dialing-for-profit/

Posted by viral

Sursa: Zscaler Research: Dissection of Android malware MouaBad.P

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
Go to topic listing
×
×
  • Create New...