Analysis of Android.Zitmo-Urlzone

Intro: What is Android.Zitmo-Urlzone?
Android.Zitmo-Urlzone is the mobile “add-on” for the banking trojan Urlzone. This app, known as a Zeus In The Mobile variant, steals incoming SMS messages and uploads them to the remote server. Its primary purpose is to defeat online banking’s two factor authentication by intercepting confirmation SMS sent by the banks to their customers (mTAN).

Step 1: Forcing the User to Install the App
If the Windows PC of a user is compromised with Urlzone and the user tries to browse to his bank website a message is shown after the login presenting a new security solution which is now obligatory in order to use the online banking service in the future. The new solution pretends to be an Android application that protects the phone’s SMS messages from being intercepted by a Trojan installed on the smartphone.

Urlzone - Webinject
Details (Pop-up)
Phone Number Validation
Waiting for activation code To complete the installation, the user has to enter an activation code generated by the malicious app.

gate_urlzone You can see the login credentials as plain text in the source code of the web page.

Download-Link    Android Security Warning

Enable the checkbox for Unknown sources    Unknown Sources Warning

Permissions    (Malicious) Application installed

Your Password!    Smart 1.2 App Security

The malicious application has the following characteristics:


Original name: SmartSecurity_ver_1_2.apk
MD5: 5f6b00bd0c7567e2a327eac8455aa4a7
SHA-1: da661e06cf48a5f7921af202589a6d6c72c5439e
ssdeep: 1536:/vWTBfBIjpOIB6GJ5I5MBHGPMKOeDIWS2Fw:XMBpIlOIBh3Iu7e1M
File Size: 103.078 Bytes

WinRAR

Android.Zitmo-Urlzone.apk
Submission date: 2013-09-12 07:28:33 UTC
Result: 23/47
Report

Download: Android.Zitmo-Urlzone.rar (password is infected)

Before analyzing the Dalvik code or Java source code we have to go through the AndroidManifest.xml file to understand the application’s characteristics.

Below the manifest file:

<?xml version="1.0" encoding="utf-8"?>
<manifest android:versionCode="1" android:versionName="1.0" package="com.guard.smart"
  xmlns:android="http://schemas.android.com/apk/res/android">
    <application android:theme="@style/AppTheme" android:label="@string/app_name" android:icon="@drawable/zamok" android:allowBackup="true">
        <activity android:label="@string/app_name" android:name="com.guard.smart.MainActivity">
            <intent-filter>
                <action android:name="android.intent.action.MAIN" />
                <category android:name="android.intent.category.LAUNCHER" />
            </intent-filter>
        </activity>
        <service android:name=".IDLEService" android:enabled="true" />
        <receiver android:name=".SmsReceiver">
            <intent-filter android:priority="1000">
                <action android:name="android.provider.Telephony.SMS_RECEIVED" />
            </intent-filter>
        </receiver>
        <receiver android:name="com.guard.smart.TimerReceiver" />
        <receiver android:name=".onBootReceiver" android:enabled="true" android:exported="false">
            <intent-filter>
                <action android:name="android.intent.action.BOOT_COMPLETED" />
            </intent-filter>
        </receiver>
    </application>
    <uses-permission android:name="android.permission.RECEIVE_SMS" />
    <uses-permission android:name="android.permission.ACCESS_NETWORK_STATE" />
    <uses-permission android:name="android.permission.INTERNET" />
    <uses-permission android:name="android.permission.RECEIVE_BOOT_COMPLETED" />
    <uses-permission android:name="android.permission.SEND_SMS" />
    <uses-permission android:name="android.permission.READ_PHONE_STATE" />
    <uses-permission android:name="android.permission.WAKE_LOCK" />
</manifest>

## Requested Permissions ##
android.permission.RECEIVE_SMS (receive SMS):
Allows an application to receive and process SMS messages.
Malicious applications may monitor your messages or delete them without showing them to you.

android.permission.ACCESS_NETWORK_STATE (view network status):
Allows an application to view the status of all networks.

android.permission.INTERNET (full Internet access):
Allows an application to create network sockets.

android.permission.RECEIVE_BOOT_COMPLETED (automatically start at boot):
Allows an application to start itself as soon as the system has finished booting.

android.permission.SEND_SMS (send SMS messages):
Allows an application to send SMS messages.
Malicious applications may cost you money by sending messages without your confirmation.

android.permission.READ_PHONE_STATE (read phone state and identity):
Allows an application to access the phone features of the device. An application with this permission can determine the phone number and serial number of this phone, whether a call is active, the number that call is connected to and so on.

android.permission.WAKE_LOCK (prevent phone from sleeping):
Allows an application to prevent the phone from going to sleep.

## Activities ##
From the manifest we can identify the Main Activity between the activity tags:
        <activity android:label="@string/app_name" android:name="com.guard.smart.MainActivity">
            <intent-filter>
                <action android:name="android.intent.action.MAIN" />
                <category android:name="android.intent.category.LAUNCHER" />
            </intent-filter>
        </activity>
So com.guard.smart.MainActivity is the main activity and it’ll be the first class invoked from the malware.

Last but not least we can also check Services and Receivers:

## Services ##
com.guard.smart.IDLEService
<service android:name=".IDLEService" android:enabled="true" />
## Receivers ##
com.guard.smart.SmsReceiver
com.guard.smart.TimerReceiver
com.guard.smart.onBootReceiver
        <receiver android:name=".SmsReceiver">
            <intent-filter android:priority="1000">
                <action android:name="android.provider.Telephony.SMS_RECEIVED" />
            </intent-filter>
        </receiver>
        <receiver android:name="com.guard.smart.TimerReceiver" />
        <receiver android:name=".onBootReceiver" android:enabled="true" android:exported="false">
            <intent-filter>
                <action android:name="android.intent.action.BOOT_COMPLETED" />
            </intent-filter>
        </receiver>
Now that we’ve analysed the Manifest, we can take a look at code.

The method onCreate() is what we are interested in, so here’s the code:
  protected void onCreate(Bundle paramBundle)
  {
    super.onCreate(paramBundle);
    j = getApplicationContext();
    a.c(j);
    if (!b[0].isEmpty())
      a.a(j);
    if (f.isEmpty())
    {
      setContentView(2130903040);
      ((Button)findViewById(2131165187)).setOnClickListener(new c(this));
      return;
    }

The malware is clearly able to survive the reboot. If you scroll up to the manifest explanation you’ll see that RECEIVE_BOOT_COMPLETED permission and OnBootReceiver receiver are requested in order to remain persistent on the system.

Here its code:
public class onBootReceiver extends BroadcastReceiver
{
  public void onReceive(Context paramContext, Intent paramIntent)
  {
    if ("android.intent.action.BOOT_COMPLETED".equals(paramIntent.getAction()));
    try
    {
      a.c(paramContext);
      if (!MainActivity.b[0].isEmpty())
        a.a(paramContext);
      return;
    }
    catch (Exception localException)
    {
    }
  }
}

Checks if internet connection is available:
Source: com.guard.smart.a –> API Call: android.net.ConnectivityManager.getActiveNetworkInfo
Source: com.guard.smart.a –> API Call: android.net.NetworkInfo.isConnected

Queries the unqiue device ID (IMEI, MEID or ESN):
Source: com.guard.smart.a –> API Call: android.telephony.TelephonyManager.getLine1Number
Source: com.guard.smart.a –> API Call: android.telephony.TelephonyManager.getDeviceId

## File operations ##
write /data/data/com.android.de.avguard/cfg.txt

Hardcoded URL’s:
http://appsmartsystem.com/sms/me.php
http://appsecuritysystem.com/sms/me.php

Found URLs
URL Parameters
dd=%DD%
devid=%DEVID%
login=%LOGIN%
number=%NUMBER%
phone=%PHONE%

POST Requests:
http://securesmartconnect.com/ss/app.php
http://securesmartconnect.net/ss/app.php

POST Requests TCP Stream PassiveDNS Cipher
Step 2: The Trojan Action
After the Trojan has been installed successfully, all incoming SMS messages will be intercepted and send to the attacker’s server.

Menu Panel
Below the callgraph:



Links:
APK Tool – A tool for reverse engineering Android apk files
dex2jar – Tools to work with android .dex and java .class files
Manifest.permission | Android Developers

This entry was posted in Android, Banking Trojan, English, Malware Forensics, Mobile Security. Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>