Virus

Riskware/EliteBomb!Android

Analysis

Riskware/EliteBomb!Android is a piece of malware targetting Android mobile phones.
Once launched, the application allows the user to send out a number of SMS messages (ranging from 1 to unlimited) and can hence be used as a SMS spamming hackertool, provided the phone is rooted.

Technical Details


The application comes in the form of packages 'com.dylanmtaylor.elitebomb_lite' or 'com.dylanmtaylor.elitebomb' under the name 'EliteBomb Ultimate' (refer Fig 1)

Fig1. Application icons
Once launched, the user is asked to agree to a set of Terms and Conditions explaining the purpose of the application. (refer Fig 2)

Fig2. Terms and Conditions of the application
If the user agrees, the user is shown the main application (refer Fig 3)

Fig 3. Main application layout
The first time the application is run and the user tries to send out SMS messages, the application checks whether the phone in question is rooted or not.
If yes, the user is asked for a confirmation to remove the SMS limit on the phone (refer Fig 4)

Fig 4. SMS limit removal notification
If the user agrees, the value of 'sms_outgoing_check_max_count' in the phone's settings (stored in the database '/data/data/com.android.providers.settings/databases/settings.db') is set to 999999999. Making this change allows a large number of SMS messages to be sent out from the phone without showing a warning notification on the phone.
The phone is then rebooted.
Thereafter, the phone can be used to send out a number of SMS messages (ranging from 1 to unlimited) to a particular number with a particular text specified by the user.
Permissions required by the application:
  • SEND_SMS
  • WRITE_SMS
  • READ_SMS
  • READ_PHONE_STATE
  • INTERNET

Recommended Action

    FortiGate Systems
  • Check the main screen using the web interface for your FortiGate unit to ensure that the latest AV/NIDS database has been downloaded and installed on your system - if required, enable the "Allow Push Update" option.
    FortiClient Systems
  • Quarantine/delete files that are detected and replace infected files with clean backup copies.