Archive for December, 2012

Say “Hi” to Boxer – a new SMS based Trojan for Android

Posted in Malware, Mobile with tags , , , on December 5, 2012 by keizer

Your Android smartphone could be producing profit for criminals, and here is how: using piece of malware calledAndroid/TrojanSMS.Boxer.AA, a malicious program for Google’s Android mobile Operating System that targets 63 different countries, reading the MCC (Mobile Country Code) and MNC (Mobile Network Code) codes from the infected device. In December 2011 twenty-two malicious applications were discovered in the Android Market (Now Google Play) that were able to reach users all of these countries.

(In addition to this article, we have prepared a whitepaper that you can download: Boxer SMS Trojan (PDF). We have also provided a more general article on the SMS Trojan premium rate call threat.)

SMS Trojans are the most common threats that we find for mobile devices these days: the most common form they take is subscribing users to premium-rate numbers and charging them varying amounts of dollars per message. These kinds of activity and techniques are not new but nevertheless they´ve proven quite effective and profitable for cybercriminals and as the take-up of mobile devices has accelerated, we have also been seeing malware for these platforms increasing in popularity and sophistication. We have seen attack methodologies that include injecting malicious code into known applications, sending and hiding the response messages, Pay Per Install (PPI) methodologies and so on. Usually these threats target one or a few specific countries, but Boxer has a global reach.

One of the malware-enabled applications found in our research is “Urban Fatburner” (md5: 962078fba0bca8cda4fe39c516d21ffc). When a victim installed this application a number of permissions were requested including the ability to send and receive SMS, access to the Internet, and the ability to make phone calls. The application installed by users is an installer: once the users accept the terms, it will send between one and three SMS messages to premium-rate numbers and allow the user to download the full app. Nevertheless, even when the newly-downloaded application is fully installed, more text messages may be sent to premium-rate numbers every time the app is executed. As our first approach to understanding what this malware can do we used apktool to decompile the APK file, to get to the resources, read the information in AndroidManifest.xml and raw resources, including configuration files for countries and SMS.

During the analysis of this threat, the mechanism used by Boxer demonstrated how a customized code for fake installers is able to target a wide range of countries in a single malicious app. This structure is easy to detect, and reads information directly from the mobile phone once the application is initiated. Once the Main class is called, the method onCreate() is executed when application starts and uses the TelephonyManager class to call get getNetworkOperator(). This function retrieves a string with the MCC and MNC concatenated so as to identify the country. This information will be used further by the application to set the proper configuration such as number and activation code for the mobile carrier according to the country.

At the end of the onCreate() method, initActivationSchemes() is called. This function will match the MCC to the proper identifier and the mobile number to which the SMS will be sent. For this purpose there is a class called ActivationScheme that holds the number of SMS messages that will be sent and the information set by initActivationSchemes(). 

All this information will be used later (after the user accepts the user license agreement) by the activate() method. This will register a BroadcastReceiver() that will be triggered after an SMS is sent. With this action the malware will update the configuration files and be aware when to stop sending messages:

Boxer works as a fake installer, and once those users agree to download the application and it has sent the SMS it will download a modified application that may continue to send messages to premium numbers. This kind of functionality allows attackers to define a wide range of countries even when the user is in a different country. The distribution of the targeted countries by region can be seen in the following graph:

As time goes by, smartphones are getting more and more accessible to and popular with users who, in many occasions, are unaware of the threats they may face if they do not adopt the necessary preventive and security measures. Although there are SMS Trojans for other platforms such as Symbian and for mobile devices compatible with Java Micro Edition, during 2012 it was possible to observe a rise of this kind of threats exclusively designed for Android, as is the case of Boxer.

In general, SMS Trojans affect a very limited number of countries. There are also other cases in which they are capable of working in several nations belonging to a particular continent, as in Europe. However, Boxer is able to transcend regional barriers by including within its malicious routine 63 countries across America, Asia, Africa, Europe and Oceania. Out of these 63 countries, nine are Latin American. Consequently – and taking into account the fact that this threat was found in several malicious applications through Google Play – Boxer is considered to be among the most important SMS Trojans of the last year, and is the first one that has tried to target so many countries at the same time.

Our observation of this family of malware confirms that cybercriminals are not only focusing their resources on the creation of increasingly complex malware for mobile devices, but that they are also starting to concentrate on how to expand the reach of their threats worldwide. It is likely that in the near future more malicious code targeting Android will be detected and that, at the same time, more of them will be constructed so as to affect users in as many regions as possible.

Pablo Ramos
Security Researcher
ESET Latinoamérica