Android devices continue to be the target of malware authors with Android/Fake10086.A!tr. AegisLab spotted this malicious Trojan in the wild in China and posted an interesting write-up on the matter.
In brief, Android/Fake10086.A!tr looks like a handy hotel reservation application (e.g com.hotel apk), but in the background it communicates with a remote web server and blocks some incoming SMS messages. Most noticeably, Fake10086 blocks SMS messages coming from 10086, the customer service portal of a leading chinese telecom operator – presumably to prevent them from warning the victim. How does it do that? This is what we are going to focus on in this post.
The AndroidManifest.xml shows a class FakeLanucherActivity (misspelt as in the sample) is started:
Clik here to view.
Part of the trojan's AndroidManifest.xml
This calls the onCreate() method of FakeLanucherActivity, which, in turn, instantiates a SettingManager object via the getInstance() method:
SettingManager.getInstance(this).log("FakeLanucherActivity::onCreate");
The constructor of SettingManager creates a private settings file for the application (named setting.xml in the shared_prefs private directory of the application)
Clik here to view.
SettingManager constructor - creating the settings file (setting.xml)
Later (we skip all parts which do not relate to SMS blocking) this settings file is edited by calling setSMSTempBlockNumAndTimes() with
10086 as first parameter, and 1 as second parameter:
Clik here to view.
Default values for setting.xml
From the name of the method, we guess the first parameter is the SMS number to block and the second parameter is the number of times such messages should be blocked.
The setSMSTempBlockNumAndTimes method does no more than writing the configuration in a sms_temp_block_num_and_times XML tag of the setting.xml file:
Clik here to view.
Writting SMS Block Number and Times to setting.xml
A typical setting.xml file looks as follows:
Clik here to view.
Sample setting.xml file
Note a function to read sms_temp_block_num_and_times also exists, and is named getSMSTempBlockNumAndTimes().
The SettingManager class does not have anything more regarding blocking SMS. So, how are SMS blocked?
Each time an SMS message is received, it is processed by the onReceive() method in PrivilegedSmsReceiver class which is registered as an SMS receiver by the trojan. The relevant parts of this method are pasted below (smali disassembly output):
Clik here to view.
Smali disassembly for the onReceive() method of PrivilegedSmsReceiver
So, the onReceive() method retrieves the sms_temp_block_num_and_times (and logs it to an internal debug file), gets the phone number from which the incoming SMS comes (getDisplayOriginatingAddress()), checks whether it ends with the number to block (10086), decrements the “times” counter and checks it is positive. Probably due to a bug, it does not update the setting.xml file with the decremented value, so 10086 is blocked forever. See below the logs of the trojan when the device receives an SMS from 10086:
[[2011,Mar,08,12:59PM]]: com.mms.bg.transaction.PrivilegedSmsReceiver::onReceive::Line=48 PrivilegedSmsReceiver::onReceive [[2011,Mar,08,12:59PM]]: com.mms.bg.transaction.PrivilegedSmsReceiver::onReceive::Line=66 The temp block info = 10086;1 [[2011,Mar,08,12:59PM]]: com.mms.bg.transaction.PrivilegedSmsReceiver::onReceive::Line=78 block the sms because it contain the temp block num : 10086 for once
– the Crypto Girl
Update: Mario Bellano found the corresponding source code. You can download it and compare…