Android Threat Set to Trigger On the End of Days, or the Day's End

 

 

http://www.symantec.com/connect/blogs/android-threat-set-trigger-end-days-or-day-s-end

May 23, 2011

Android Threat Set to Trigger On the End of Days, or the Day’s End

By: Irfan Asrar

Symantec has discovered a Trojanized version of a legitimate application that is part threat, part doomsayer. The threat was embedded in a pirated version of an app called ‘Holy ***king Bible’, which itself has stirred controversy on multiple forums in which the app is in circulation.

http://www.symantec.com/connect/imagebrowser/view/image/1786431/_original

Once the threat is installed, it waits for the device to reboot. After the reboot, it starts a service called 'theword'. After waiting few minutes, it attempts to contact a host service, passing along the device’s phone number and operator code. It then attempts to retrieve a command from a remote location. These same actions are carried out in a loop, with intervals of 33 minutes. In addition to having abilities to respond to commands through the Internet and SMS, the threat also has activities that are designed to trigger on the 21st and 22nd of May 2011, respectively.

http://www.symantec.com/connect/imagebrowser/view/image/1786911/_original

There are multiple suggestions in the threat that indicate that it was aimed at users in North America. One obvious element is that the threat was checking the US date format (MMDDYYYY) and will only trigger activation if the date is “05222011”, as opposed to “22052011” etc.

http://www.symantec.com/connect/imagebrowser/view/image/1786451/_original

Another hint includes the cultural (borderline bizarre) reference in the threat, which is geared more towards an audience in the North American region. Additionally, it attempts to register users as members of a US-based political action committee called ColbertPAC. Lastly, and most evidently, is that the ‘End of the World’ occurring on May 21st is a phenomenon largely limited to North America.

And then on the 21st day of May 2011 AD….

As soon as the threat recognizes the date is May 21, 2011, it creates a database called “mydb.db”:

http://www.symantec.com/connect/imagebrowser/view/image/1786471/_original

It then writes the string “endoftheworld” to the table ‘myTable'. (This is used as a trigger to tell the class SMSsmack to automatically reply back to any SMS sent to the device with the message below.) Next, it randomly picks one of several pre-defined messages and proceeds to send the spam to the entire contact list:

http://www.symantec.com/connect/imagebrowser/view/image/1786481/_original

http://www.symantec.com/connect/imagebrowser/view/image/1786491/_original

http://www.symantec.com/connect/imagebrowser/view/image/1786501/_original

http://www.symantec.com/connect/imagebrowser/view/image/1786511/_original

http://www.symantec.com/connect/imagebrowser/view/image/1786521/_original

http://www.symantec.com/connect/imagebrowser/view/image/1786531/_original

Lastly, the wallpaper is changed to the following image:

http://www.symantec.com/connect/imagebrowser/view/image/1786541/_original

When the threats detects that the date has rolled over to May 22, it changes the wallpaper again and spams the contact list with a new message:

http://www.symantec.com/connect/imagebrowser/view/image/1786551/_original

Symantec has added detection for this threat, which is known as Android.Smspacem.

To avoid becoming a victim of such malicious Android applications, we recommend that you only use regulated Android marketplaces for downloading and installing Android applications. Also, in the Android OS application settings there is an option to stop the installation of non-market applications. On most devices this option is OFF by default. This configuration helps protect against rogue, pirated apps that may be malicious. Checking user comments on the marketplace can also assist in determining if the application is safe. Lastly, always check the access permissions being requested during the installation of any Android applications. If they seem excessive for what the application is designed to do, it would be wise to stop installing the application.

A special thanks to Kaoru Hayashi for the in-depth analysis of this threat.

 

 

 


(download)