Intro: What is Android.Zitmo-Urlzone?

Android.Zitmo-Urlzone is the mobile “add-on” for the banking trojan Urlzone. This app, known as a Zeus In The Mobile variant, steals incoming SMS messages and uploads them to the remote server. Its primary purpose is to defeat online banking’s two factor authentication by intercepting confirmation SMS sent by the banks to their customers (mTAN).

Step 1: Forcing the User to Install the App

If the Windows PC of a user is compromised with Urlzone and the user tries to browse to his bank website a message is shown after the login presenting a new security solution which is now obligatory in order to use the online banking service in the future. The new solution pretends to be an Android application that protects the phone’s SMS messages from being intercepted by a Trojan installed on the smartphone.















To complete the installation, the user has to enter an activation code generated by the malicious app.



You can see the login credentials as plain text in the source code of the web page.

The malicious application has the following characteristics:



Original name: SmartSecurity_ver_1_2.apk

MD5: 5f6b00bd0c7567e2a327eac8455aa4a7

SHA-1: da661e06cf48a5f7921af202589a6d6c72c5439e

ssdeep: 1536:/vWTBfBIjpOIB6GJ5I5MBHGPMKOeDIWS2Fw:XMBpIlOIBh3Iu7e1M

File Size: 103.078 Bytes







Android.Zitmo-Urlzone.apk

Submission date: 2013-09-12 07:28:33 UTC

Result: 23/47

Report



Download:

Android.Zitmo-Urlzone.rar (password is infected)

Before analyzing the Dalvik code or Java source code we have to go through the AndroidManifest.xml file to understand the application’s characteristics.

Below the manifest file:

<?xml version="1.0" encoding="utf-8"?> <manifest android:versionCode="1" android:versionName="1.0" package="com.guard.smart" xmlns:android="http://schemas.android.com/apk/res/android"> <application android:theme="@style/AppTheme" android:label="@string/app_name" android:icon="@drawable/zamok" android:allowBackup="true"> <activity android:label="@string/app_name" android:name="com.guard.smart.MainActivity"> <intent-filter> <action android:name="android.intent.action.MAIN" /> <category android:name="android.intent.category.LAUNCHER" /> </intent-filter> </activity> <service android:name=".IDLEService" android:enabled="true" /> <receiver android:name=".SmsReceiver"> <intent-filter android:priority="1000"> <action android:name="android.provider.Telephony.SMS_RECEIVED" /> </intent-filter> </receiver> <receiver android:name="com.guard.smart.TimerReceiver" /> <receiver android:name=".onBootReceiver" android:enabled="true" android:exported="false"> <intent-filter> <action android:name="android.intent.action.BOOT_COMPLETED" /> </intent-filter> </receiver> </application> <uses-permission android:name="android.permission.RECEIVE_SMS" /> <uses-permission android:name="android.permission.ACCESS_NETWORK_STATE" /> <uses-permission android:name="android.permission.INTERNET" /> <uses-permission android:name="android.permission.RECEIVE_BOOT_COMPLETED" /> <uses-permission android:name="android.permission.SEND_SMS" /> <uses-permission android:name="android.permission.READ_PHONE_STATE" /> <uses-permission android:name="android.permission.WAKE_LOCK" /> </manifest>

## Requested Permissions ##

android.permission.RECEIVE_SMS (receive SMS):

Allows an application to receive and process SMS messages.

Malicious applications may monitor your messages or delete them without showing them to you.

android.permission.ACCESS_NETWORK_STATE (view network status):

Allows an application to view the status of all networks.

android.permission.INTERNET (full Internet access):

Allows an application to create network sockets.

android.permission.RECEIVE_BOOT_COMPLETED (automatically start at boot):

Allows an application to start itself as soon as the system has finished booting.

android.permission.SEND_SMS (send SMS messages):

Allows an application to send SMS messages.

Malicious applications may cost you money by sending messages without your confirmation.

android.permission.READ_PHONE_STATE (read phone state and identity):

Allows an application to access the phone features of the device. An application with this permission can determine the phone number and serial number of this phone, whether a call is active, the number that call is connected to and so on.

android.permission.WAKE_LOCK (prevent phone from sleeping):

Allows an application to prevent the phone from going to sleep.

## Activities ##

From the manifest we can identify the Main Activity between the activity tags:

<activity android:label="@string/app_name" android:name="com.guard.smart.MainActivity"> <intent-filter> <action android:name="android.intent.action.MAIN" /> <category android:name="android.intent.category.LAUNCHER" /> </intent-filter> </activity>

So com.guard.smart.MainActivity is the main activity and it’ll be the first class invoked from the malware.

Last but not least we can also check Services and Receivers:

## Services ##

com.guard.smart.IDLEService

<service android:name=".IDLEService" android:enabled="true" />

## Receivers ##

com.guard.smart.SmsReceiver

com.guard.smart.TimerReceiver

com.guard.smart.onBootReceiver

<receiver android:name=".SmsReceiver"> <intent-filter android:priority="1000"> <action android:name="android.provider.Telephony.SMS_RECEIVED" /> </intent-filter> </receiver> <receiver android:name="com.guard.smart.TimerReceiver" /> <receiver android:name=".onBootReceiver" android:enabled="true" android:exported="false"> <intent-filter> <action android:name="android.intent.action.BOOT_COMPLETED" /> </intent-filter> </receiver>

Now that we’ve analysed the Manifest, we can take a look at code.

The method onCreate() is what we are interested in, so here’s the code:

protected void onCreate(Bundle paramBundle) { super.onCreate(paramBundle); j = getApplicationContext(); a.c(j); if (!b[0].isEmpty()) a.a(j); if (f.isEmpty()) { setContentView(2130903040); ((Button)findViewById(2131165187)).setOnClickListener(new c(this)); return; }

The malware is clearly able to survive the reboot. If you scroll up to the manifest explanation you’ll see that RECEIVE_BOOT_COMPLETED permission and OnBootReceiver receiver are requested in order to remain persistent on the system.

Here its code:

public class onBootReceiver extends BroadcastReceiver { public void onReceive(Context paramContext, Intent paramIntent) { if ("android.intent.action.BOOT_COMPLETED".equals(paramIntent.getAction())); try { a.c(paramContext); if (!MainActivity.b[0].isEmpty()) a.a(paramContext); return; } catch (Exception localException) { } } }

Checks if internet connection is available:

Source: com.guard.smart.a –> API Call: android.net.ConnectivityManager.getActiveNetworkInfo

Source: com.guard.smart.a –> API Call: android.net.NetworkInfo.isConnected

Queries the unqiue device ID (IMEI, MEID or ESN):

Source: com.guard.smart.a –> API Call: android.telephony.TelephonyManager.getLine1Number

Source: com.guard.smart.a –> API Call: android.telephony.TelephonyManager.getDeviceId

## File operations ##

write /data/data/com.android.de.avguard/cfg.txt

Hardcoded URL’s:

http://appsmartsystem.com/sms/me.php

http://appsecuritysystem.com/sms/me.php





URL Parameters

dd=%DD%

devid=%DEVID%

login=%LOGIN%

number=%NUMBER%

phone=%PHONE%

POST Requests:

http://securesmartconnect.com/ss/app.php

http://securesmartconnect.net/ss/app.php











Step 2: The Trojan Action

After the Trojan has been installed successfully, all incoming SMS messages will be intercepted and send to the attacker’s server.







Below the callgraph:



Links:

APK Tool – A tool for reverse engineering Android apk files

dex2jar – Tools to work with android .dex and java .class files

Manifest.permission | Android Developers