It doesn’t happen that often altogether that mobile malware specifically come from France and propagate in France. It however seems to be the case this time for an Android malware named Foncy – not that there should be any national pride in creating malware.

Foncy has first been spotted by Denis Maslennikov. It is a dialer, i.e it sends SMS messages to premium numbers, without user’s consent. It does not spread by itself: victims are infected when they download and install the malware, likely from an alternate marketplace. They probably just wanted to try out an application, which happened to be the malware.

The application’s name (SuiConFo) – which is a French abbreviation for tracking mobile plans – immediately rang a bell in our French anti-virus labs. Since then, Karine de Ponteves and I, have been able to track information on this malware.

The malware looks like former versions of a legitimate application named Track Your Plan. The code and signing certificate bear however absolutely no similarity.

Contents of the legitimate plan tracking application

Contents of the malicious plan tracking application

 

 

In France, the malware sends 4 SMS to short number 81001, with body “STAR”. Each SMS costs 4.50 euros. The short number is a SMS+ number, rented to a French company, who in turn rents it to its customers and other intermediaries. Searching the web, we found several French users complaining about their bill and obviously infected by the malware.

Actually, the French short number 81001 seems to be involved in several scams. For example, an end-user below reports he received an e-mail telling him he had won an iPhone 4 and was being asked to send an SMS to 81001 with body “STAR”. The e-mail looks like it comes from a Fabrice Andre from Orange. Actually, a Fabrice Andre of Orange does exist, but certainly hasn’t sent this e-mail. The operator Orange is aware of this scam.

We also acknowledged a discussion on a French forum where a member was boasting about a new method to make easy money using 81001. He explained he opened a StarPass account (StarPass is a micro-payment system – via SMS), and then would ask his Facebook contacts to send a SMS to 81001.

 

 

 

 

 

 

For each 4.50 euro SMS received, StarPass pays back the author 2 euros.

 

 

 

 

 

 

Additionally, Android/Foncy listens to incoming responses from 81001 and forwards the answers by SMS to a French mobile number 06xxxxxxxx. This mobile number belongs to SFR, who has been notified.

French mobile phone subscribers should be particulary wary of abnormal SMS bills, as the short number 81001 and the mobile line 06xxxxxxxx are still active at the time of writing this blog, and Android/Foncy is still in the wild. End-users should complain to their operator and/or report any unsollicited spam to the French service 33700.

To this date, we do not know the amount of French victims, and will keep you informed.

– the Crypto Girl

A few days ago, Jon Larimer and Jon Oberheide published a vulnerability for Android platforms < 2.3.6. David Maciejak and I were curious to run it on an Android phone.

Result: it runs perfectly :(

So, what is this to us?

Well, it’s a new way to root Android phones running 2.3.4. We already had exploits for that on versions prior to 2.1 or 2.2. (uDev and rageinthecage exploits), or prior to 2.3.4, or 3.0 (gingerbreak/honeybomb), but nothing in between for 2.3.4/2.3.5.

And because rooting a phone is particularly valued by malware authors, it’s important to us.  For example, malware like to silently download and install other packages, but this requires root privileges. This is why trojans such as Android/DroidKungFu.A!tr initially try to root the phone with an exploit. We were used to looking for rageinthecage binaries, now we’ll have to keep an eye on levitator…

– the Crypto Girl

Much like Ninja Turtles, DroidKungFu now comes in different flavours (5 so far), discovered by Pr. Xuxian Jiang (and research team) and Lookout. If, like me, you are having difficulties keeping track of those variants, this post is for you :)

The similarities and differences between all 5 variants are depicted below. The various blocks represent each variant, and their intersection shows how many methods they share exactly*.

All variants share the same malicious commands (CMD box). They can download and install new package, start a program (called activity), open a given URL in the browser or delete a package**. To do so, they contact the same 3 remote web servers (URLs box), apart from variant A which uses a single one.

As for differences, mainly, they rely on whether the sample uses exploits or not (yellow and red knife), whether the malicious functionalities are implemented natively or not (brown circle or green box) and whether some payload is encrypted with AES or not (hatched rectangle) and the key it uses. Note that variant E has the particularity of encrypting a few strings to obfuscate its code (/system/bin/chmod 4755, WebView.db.init etc).

 

A few other similarities are not mentioned on the picture, such as the re-use of filenames and signing certificates. For instance, native code is typically in a file named WebView.db.init, and for certificates, variant A, B and C are signed by the same self-signed Google certificate, whereas variant D and E use a custom certificate.

References:

• Fortinet’s detailed virus descriptions, including details of native part inside version B.
• Lookout’s teardown on LeNa (aka DroidKungFu)

– the Crypto Girl

* Computed using androsim.py from Androguard.

** Actually, variant A features a fifth command, execHomepage, but implements it as “not supported”.

 

Yes, you have probably heard the news: a new variant of Spitmo – Zitmo/ZeuS’s counterpart for SpyEye, which previously targeted Symbian phones only – has recently been spotted on Android. The scenario is the same as before: a victim, browsing on a PC infected with SpyEye, logs in her bank’s website. SpyEye injects forms and elements directly into the webpages she is viewing, so as to lure her into installing a fake security application on her phone, thinking it’s required by the bank. That application actually intercepts SMS messages – especially those carrying authentication codes.

If you are not familiar with Spitmo yet, it’s probably better you go and read Trusteer’s analysis first, as this post is focusing on a few details.

• How was the malware signed?
  It was signed using a test key publicly available from the CyanogenMod github repository. At least two other malware, Android/Netisend and Android/Pjapps use exactly the same certificate.
• Does it intercept all SMS?
  Like in Zitmo, Spitmo is capable of focusing only on some particular SMS messages it is interested in, for example those coming from your bank ;)
  This feature corresponds to a special entry in the malware’s XML configuration file: tels. Analysis I read don’t talk about this tag, but tels is designed to contain a list of originating phone numbers for which the malware should intercept SMS.
  The field is parsed by the code and each number is added to an array of numbers.
  If there are none (default situation), all SMS messages are intercepted.
• Intercepted SMS messages are sent via SMS or HTTP, huh?
  It’s the general idea, but more precisely the possibilities are:
  • 1: send via HTTP only
  • 2: send via HTTP then via SMS
  • otherwise: send via SMS only

  Most analysis say “2″ is for SMS but it also sends via HTTP, and forget to mention the third case. Not that it matters very much, but let’s just put it straight.

• Was the malware used for real?
  It’s always difficult to be sure, but my guess would be this is just an initial test. Indeed, the malware’s configuration file sets the phone number to send intercepted SMS to 123 (which obviously isn’t a real phone number). As there doesn’t seem to be any update mechanism for the malware yet, malware authors have no way to modify this default configuration. They probably intend to in future versions.
• Which countries are involved or targeted?
  The malware is downloadable from a Spanish web server, the SpyEye drop zones were registered by someone in Poland, the code contains localized strings for Russia… As usual, cybercriminals are cautious to cover their tracks! Any of these countries could be concerned … or other countries! We have no better clue for now.

– the Crypto Girl

References:

• Descriptions of Spitmo on Symbian and Android
• Descriptions of Zitmo on Symbian, Windows Mobile, Android and BlackBerry
• Other blog posts on Spitmo: Trusteer, F-Secure, McAffee

 

 

This is a short update to our prior post concerning Zitmo on Android.

Is this really Zitmo?

This fake Trusteer malware shows several differences with prior Symbian variants, but, for simplicity (and because it’s easy to remember), we call it Zitmo.

This does not mean this variant was written by the same authors (no proof on that account, one way or another)
nor that it has exactly the same technical functionalities or even, depending on naming policies, the same name among AV vendors, but what we mean is that this sample was propagated by ZeuS PC trojans – which is all that matters from an end-user perspective…

Denis Maslennikov proves it in his blog post where he shows Win32 ZeuS configuration files with modified Trusteer web pages. This is confirmed by our own research too: we decrypted a ZeuS configuration file and found the Trusteer-related injected pages.

Also, note that another Android Zitmo sample was discovered and fakes a Kaspersky anti-virus. We detect that sample as Android/Zitmo.D!tr.spy.

– the Crypto Girl

Kyle Yang and Alexandre Aumoine contributed to this research.