Monday, March 9, 2015

Banker backdoor makes your device his b*tch

Russian backdoor makes your phone its bot by receiving commands from command & control (C&C) server or through Google Cloud Messaging (GCM) push notification. Malware attempts to obtain your credit card information, while acting as Play Market.


By installing application you will get a "romantic" icon in your launcher with fishy name "System".

Backdoor icon

In cases like that, when application icon is so tempting to launch with such a credible name, you should by all means resist the temptation to launch it, and immediately remove it.

When you can't resist, just like I couldn’t, you will receive and unexpectedly high phone bill :).

After tapping on a "hungry lady" you will be prompted to grant device admin access to the app.

Request device admin access

As explanation to request device admin access are "Terms of Use Google Play" to get free content.

Of course I was excited, so I tapped on ACTIVATE to get rid of that annoying window, so I could see the rest of the pretty lady.

Application doesn't show any other window, but starts to push notifications and hides the launching icon. That's when it starts to run in background. Notification doesn't look like it has something in common with previously started application, but acts as a Play Market request.

Pushed notification

Opening the notification you will be requested to enter your credit card information because of some authorization error caused by Google Play.

Billing information window


Credit card information is then sent to remote server.

Background service

Backdoor will start "update" service that will firstly register device on C&C server by sending unique information of your device (IMEI, phone number, country, operator name) and receives bot identification number (bot_id) and password (bot_pwd) to identify itself when communicating with server.

Bot establishes a connection in max 5 second intervals or less requesting commands from server.
There are four different commands:
 - set_intercept - intercept received SMS’s, can intercept all received messages or just ones filtered by incoming number 
 - set_interval - interval of server communication, server contact interval can be max 5 seconds
 - send_sms - send SMS
 - set_server - change the C&C server

It also has a spy activity defined in the manifest, where broadcast receiver for incoming SMS is set. All of your received messages are sent to remote server, where some of them or all of them, depends on received command, aren't even shown to you.

There is also implemented communication by push notifications from Google Cloud Messaging. Based on this, push messages can invoke notification requesting credit card information, (mentioned earlier) or sending SMS.

Sample info 

MD5: c6d18185d52200ed73187d355facb2fa
Package name: ""

No comments:

Post a Comment