Monthly Archives: 三月 2015

Remote-controll Trojan with Smack Technique

Post by Partrick

Recently AVL Mobile Security Team found an Android spyware based on XMPP Smack Openfire, The spyware has the following behavior characteristics: 1. – Upload users’ contact information, short messages, phone records, GPS location and date, according to instructions sent by the remote client; 2. Hide its icon; 3. Intercept the specified short messages.

Smack is an open source XMPP (jabber) client connection library, and it has API with many functions such as send/receive messages, monitor client’s current status and so on. When this malware uses the Smack technique, it first uses the XMPP SERVER to establish a connection, then it uses preset account key to log in, and if login is successful, it will create an object to communicate with other users, via the XML format.

Detailed Analysis:

After the program starts, the controlled terminal will automatically logs in first, and after a successful login it will access the network. After the network connection between the controlled terminal and the main controlling terminal is set up, the controlled terminal will perform malicious actions such as theft of privacy according to the instructions. The brief process is shown in the following figure.
1

After the programme is running, it will first get the accont key: 2

The data is saved in the xml file. 3

After that, start the operation of connection to the networks and login, 4

It can perform the operation of hiding its icon according to the returned data:56

The programme will conduct many sensitive operations according to the distant instructions sent by the main controlling terminal, including uploading files, short messages, contact information, sound recording, GPS location and other information. The related codes are showed in the following picture:
78

It should be noted that the programme will save the acquired data in the local folders, and upload them together. The website for uploading is showed in the following picture.
9

The websites getting from static analysis are given as follows: 10

Summary

Through the analysis of engineers on security research, the malicious sample may disclose user’s important individual privacy, and may lead to the severe economic loss of the users. Therefore, AVL Mobile Security Team recommend that you had better download AVL Pro to detect and kill such kind of Trojans so that you can enjoy a perfect cellphone environment without virus.

Smack技术远控木马

Post by Partrick

AVL移动安全团队近期发现一种基于XMPP Smack Openfire开发的Android间谍软件。该恶意软件有如下行为特点: 1 根据远程客户端发送的指令上传用户的联系人信息、短信、通话记录、GPS位置信息、日期; 2 隐藏自身图标; 3 拦截指定短信。

Smack是一个开源的XMPP(jabber)客户端连接库,具有发送/接受消息、监视客户端当前所处的状态等众多功能的API。该恶意软件使用Smack技术时,首先利用XMPP SERVER建立连接,之后使用预置用户名和密码进行登录,登录成功便创建对象和其他用户进行交流,主要使用xml格式传输。

详细分析:

程序运行后,受控端首先会自动登录,登录成功后会访问网络。与主控端建立网络连接后,受控端会根据指令执行窃取隐私等恶意操作。简要流程如下图所示。 1

程序在启动后,会先获取账号密码: 2

该数据存在xml文件中。 3

之后便开始联网登录操作: 4

根据返回的数据能进行隐藏图标操作: 5
6

程序会通过主控端的远程指令进行多项敏感操作,包括上传文件、上传短信、联系人、录音、位置等信息。相关代码如下图所示: 78

需要说明的是:程序先将获取到的数据保存到本地文件夹中,然后统一上传。上传网址如下图所示: 9

以下是静态分析得出的网址。 10

总结

经过安全研究人员分析,该恶意样本会泄露用户的重要隐私信息,可能会给用户造成严重经济损失。AVL移动安全团队建议大家尽快下载安装AVL Pro对该类木马进行检测和查杀,帮助大家摆脱病毒营造良好手机环境!

AVL移动安全团队专注于移动互联网安全技术研究及反病毒引擎研发,提供强大的移动安全解决方案。欢迎关注我们的微信公众号AVLTeam,我们会定期发布一些移动安全相关资讯,希望能够对您有所帮助。 转载请注明来源:http://blog.avlyun.com/?p=2193

文章分享地址:
微信二维码