How to properly explore mobile Trojans at home
From the editor: Today, Roman Unuchek, expert of Kaspersky Lab, an expert on mobile threats, is on the line.
This post continues the theme raised by the rootes user in the post “ SMS-virus under Android OS or“ Hello :) You have a photo ... ”. I enjoyed reading comments about how viruses differ from Trojans, and how to properly investigate malware. That's just about the correct study, and I want to talk, as doing this every day for 4 years. Is it right to run malware on a “live” device? Do I have to use a virtual machine? How not to harm yourself and other users during such experiments? At the same time let's talk about a specific Trojan Trojan-SMS.AndroidOS.Opfake.a.
But perhaps I'll start with the topic, just raised in the original post - as antivirus treats an already infected device. Our product was not tested, but in vain: the Trojan is quietly detected and removed by the trial version of our product ( link to Google Play ), both now and at the time of the original research (judging by the screenshots, it was September 3). Proofpik:
')
Treatment
When you click the Delete button, the user is automatically transferred to the device administrators management menu, where the Device Admin rights for the trojan can be canceled. Then you will go to the menu of removing the malware in the settings.
As you can see, the process is not fully automated, as it happens on Windows. Our solution consistently displays the user with the necessary menu items to remove the Trojan and does all the hidden work, but you have to press a couple of buttons: this is Android’s specificity. Will an inexperienced user cope with this task? Well, this is a good reason for the additional protection of the smartphone by this inexperienced user: if the antivirus was installed in advance, the infection simply would not have happened.
And what is this Trojan and why not all vendors immediately detected it?
In fact, the AndroidOS.Opfake family of sms Trojans is one of the oldest in our collection: we registered the first representative of this type 3 years ago, in August 2011. Since then, we have detected more than 8,000 options. They all have the same goal: to steal money from the user's account by sending SMS to paid short numbers and hiding this activity. However, options are possible. The first thing that this particular modification of Opfake.a does is connect to the C & C server, and then executes the command that it will receive from there. This could be spamming the contact list (Hi-TechFoto itself), sending SMS to premium numbers, stealing the contact list. Plus, the Trojan can initiate a call to a specified number, block calls to the owner, intercept incoming SMS, and even install another malicious program.
An interesting point is that this modification of the Trojan still shows the same photo with a cat. Other modifications even do not do this, performing only hidden malicious operations and showing nothing at all.
Now let's talk about why the Trojan was not detected by everyone, and not immediately. Here is a graph based on information from our product:
Here is the number of detections of the program from August 29 to September 1, with a two-hour interval. As you can see, the main surge of activity took place on August 31, just for that day we detected more than 1800 attacks in Russia, Ukraine, Belarus, Kazakhstan and Uzbekistan. But this modification of Opfake appeared on August 29 - on Friday evening. Compared to previous versions of the Trojan, the new one was changed for the sole purpose of circumventing detection techniques with antivirus solutions. In our case, detection was carried out not by the signature method, but with the help of heuristics - roughly speaking, descriptions of the behavior of the malicious program. With one such heuristic, one can “cover up” many modifications of the Trojan at once, and this method is more resistant to minor changes in the malicious code.
In this situation, it all depends on how quickly the anti-virus company can react to the new attack. First, the new sample must be somehow captured, secondly, it must be analyzed (manually or automatically), and thirdly, it is necessary to detect and quickly distribute information to customers as an update for the product. An additional complicating factor was the time of the initial distribution of the Trojan, which was probably specially selected by cybercriminals, taking into account the peculiarities of our work. But we managed :)
How to research
We return to where we started the post. We investigate malware with all available tools, and choose the right one (whether it is code analysis, emulation, launch on a real device), depending on the circumstances, and taking into account considerable experience. What can be recommended to those who decide to analyze such a Trojan at home? The rootes user strategy was generally correct: to run a malicious program on a “clean” device without personal data, with an installed SIM card, but without money in the account. But I would recommend to start using safer methods:
• Run inside the standard Android emulator. The most secure method, which also allows you to learn a lot about the functionality of the Trojan. Some malicious programs, however, track the launch inside virtuals and refuse to work. But not all.
• Run on a real device, without personal data, but without a SIM card and with the Internet turned off. In the case of this Trojan, this would have done little. There are rare types of mobile threats that refuse to work on a device without a SIM card installed, thus hiding its real purpose.
• Run on a real device, with a SIM card. The lack of money in the account in this case does not provide a 100% guarantee, I would recommend additionally connecting the operator to block sending SMS to short numbers.
As I said above, sending paid SMS is not the only possibility for the Opfake Trojan, so I would not recommend using the third method at home. You have been warned!
Prevention
We have repeatedly said that mobile cybercrime, although it appeared as a species quite recently, is developing much faster than its counterpart on ordinary PCs. In 2-3 years, Android has gone through the same stages of development from simple viruses to complex malware programs as on regular PCs. Only on the last it took not a couple of years, but a couple of decades. An “advanced” user doesn’t need to defend himself against such a Trojan - simply don’t open the message, don’t click on the dubious links and, of course, don’t install suspicious programs.
What do less experienced users who choose a smartphone instead of the usual mobile phone more and more often? Indeed, if you at least do not allow the installation of programs from unofficial sources, such a trojan like Opfake.a can already be stopped. But this does not provide a 100% guarantee, and the evidence of this is the dozens of cases of detection of openly malicious programs on Google Play. And we are not yet talking about the problems of phishing, about the promotion of dubious software in mobile advertising networks and so on. So security software on mobile devices is necessary.
This post continues the theme raised by the rootes user in the post “ SMS-virus under Android OS or“ Hello :) You have a photo ... ”. I enjoyed reading comments about how viruses differ from Trojans, and how to properly investigate malware. That's just about the correct study, and I want to talk, as doing this every day for 4 years. Is it right to run malware on a “live” device? Do I have to use a virtual machine? How not to harm yourself and other users during such experiments? At the same time let's talk about a specific Trojan Trojan-SMS.AndroidOS.Opfake.a.
But perhaps I'll start with the topic, just raised in the original post - as antivirus treats an already infected device. Our product was not tested, but in vain: the Trojan is quietly detected and removed by the trial version of our product ( link to Google Play ), both now and at the time of the original research (judging by the screenshots, it was September 3). Proofpik:
')
Treatment
When you click the Delete button, the user is automatically transferred to the device administrators management menu, where the Device Admin rights for the trojan can be canceled. Then you will go to the menu of removing the malware in the settings.
As you can see, the process is not fully automated, as it happens on Windows. Our solution consistently displays the user with the necessary menu items to remove the Trojan and does all the hidden work, but you have to press a couple of buttons: this is Android’s specificity. Will an inexperienced user cope with this task? Well, this is a good reason for the additional protection of the smartphone by this inexperienced user: if the antivirus was installed in advance, the infection simply would not have happened.
And what is this Trojan and why not all vendors immediately detected it?
In fact, the AndroidOS.Opfake family of sms Trojans is one of the oldest in our collection: we registered the first representative of this type 3 years ago, in August 2011. Since then, we have detected more than 8,000 options. They all have the same goal: to steal money from the user's account by sending SMS to paid short numbers and hiding this activity. However, options are possible. The first thing that this particular modification of Opfake.a does is connect to the C & C server, and then executes the command that it will receive from there. This could be spamming the contact list (Hi-TechFoto itself), sending SMS to premium numbers, stealing the contact list. Plus, the Trojan can initiate a call to a specified number, block calls to the owner, intercept incoming SMS, and even install another malicious program.
An interesting point is that this modification of the Trojan still shows the same photo with a cat. Other modifications even do not do this, performing only hidden malicious operations and showing nothing at all.
Now let's talk about why the Trojan was not detected by everyone, and not immediately. Here is a graph based on information from our product:
Here is the number of detections of the program from August 29 to September 1, with a two-hour interval. As you can see, the main surge of activity took place on August 31, just for that day we detected more than 1800 attacks in Russia, Ukraine, Belarus, Kazakhstan and Uzbekistan. But this modification of Opfake appeared on August 29 - on Friday evening. Compared to previous versions of the Trojan, the new one was changed for the sole purpose of circumventing detection techniques with antivirus solutions. In our case, detection was carried out not by the signature method, but with the help of heuristics - roughly speaking, descriptions of the behavior of the malicious program. With one such heuristic, one can “cover up” many modifications of the Trojan at once, and this method is more resistant to minor changes in the malicious code.
In this situation, it all depends on how quickly the anti-virus company can react to the new attack. First, the new sample must be somehow captured, secondly, it must be analyzed (manually or automatically), and thirdly, it is necessary to detect and quickly distribute information to customers as an update for the product. An additional complicating factor was the time of the initial distribution of the Trojan, which was probably specially selected by cybercriminals, taking into account the peculiarities of our work. But we managed :)
How to research
We return to where we started the post. We investigate malware with all available tools, and choose the right one (whether it is code analysis, emulation, launch on a real device), depending on the circumstances, and taking into account considerable experience. What can be recommended to those who decide to analyze such a Trojan at home? The rootes user strategy was generally correct: to run a malicious program on a “clean” device without personal data, with an installed SIM card, but without money in the account. But I would recommend to start using safer methods:
• Run inside the standard Android emulator. The most secure method, which also allows you to learn a lot about the functionality of the Trojan. Some malicious programs, however, track the launch inside virtuals and refuse to work. But not all.
• Run on a real device, without personal data, but without a SIM card and with the Internet turned off. In the case of this Trojan, this would have done little. There are rare types of mobile threats that refuse to work on a device without a SIM card installed, thus hiding its real purpose.
• Run on a real device, with a SIM card. The lack of money in the account in this case does not provide a 100% guarantee, I would recommend additionally connecting the operator to block sending SMS to short numbers.
As I said above, sending paid SMS is not the only possibility for the Opfake Trojan, so I would not recommend using the third method at home. You have been warned!
Prevention
We have repeatedly said that mobile cybercrime, although it appeared as a species quite recently, is developing much faster than its counterpart on ordinary PCs. In 2-3 years, Android has gone through the same stages of development from simple viruses to complex malware programs as on regular PCs. Only on the last it took not a couple of years, but a couple of decades. An “advanced” user doesn’t need to defend himself against such a Trojan - simply don’t open the message, don’t click on the dubious links and, of course, don’t install suspicious programs.
What do less experienced users who choose a smartphone instead of the usual mobile phone more and more often? Indeed, if you at least do not allow the installation of programs from unofficial sources, such a trojan like Opfake.a can already be stopped. But this does not provide a 100% guarantee, and the evidence of this is the dozens of cases of detection of openly malicious programs on Google Play. And we are not yet talking about the problems of phishing, about the promotion of dubious software in mobile advertising networks and so on. So security software on mobile devices is necessary.
Source: https://habr.com/ru/post/236603/
All Articles