Remote-controll Trojan with Smack Technique

By | 2015年3月17日

Post by Partrick

Recently AVL Mobile Security Team found an Android spyware based on XMPP Smack Openfire, The spyware has the following behavior characteristics: 1. – Upload users’ contact information, short messages, phone records, GPS location and date, according to instructions sent by the remote client; 2. Hide its icon; 3. Intercept the specified short messages.

Smack is an open source XMPP (jabber) client connection library, and it has API with many functions such as send/receive messages, monitor client’s current status and so on. When this malware uses the Smack technique, it first uses the XMPP SERVER to establish a connection, then it uses preset account key to log in, and if login is successful, it will create an object to communicate with other users, via the XML format.

Detailed Analysis:

After the program starts, the controlled terminal will automatically logs in first, and after a successful login it will access the network. After the network connection between the controlled terminal and the main controlling terminal is set up, the controlled terminal will perform malicious actions such as theft of privacy according to the instructions. The brief process is shown in the following figure.
1

After the programme is running, it will first get the accont key: 2

The data is saved in the xml file. 3

After that, start the operation of connection to the networks and login, 4

It can perform the operation of hiding its icon according to the returned data:56

The programme will conduct many sensitive operations according to the distant instructions sent by the main controlling terminal, including uploading files, short messages, contact information, sound recording, GPS location and other information. The related codes are showed in the following picture:
78

It should be noted that the programme will save the acquired data in the local folders, and upload them together. The website for uploading is showed in the following picture.
9

The websites getting from static analysis are given as follows: 10

Summary

Through the analysis of engineers on security research, the malicious sample may disclose user’s important individual privacy, and may lead to the severe economic loss of the users. Therefore, AVL Mobile Security Team recommend that you had better download AVL Pro to detect and kill such kind of Trojans so that you can enjoy a perfect cellphone environment without virus.

发表评论

电子邮件地址不会被公开。 必填项已用*标注