Virus

Riskware/SmsCred!Android

Analysis

Riskware/SmsCred!Android is an application to send free SMS messages internationally. The application helps the end-user register to various free services which offer free SMS sending.
This registration step is done with user's consent.
The problem is that the credentials the end-user uses for each of those services are leaked in clear text each time the end-user sends an SMS.

Technical Details


The malicious application is typically named Free SMS Way.
It comes packaged as com.vino.android.sms.
For each service the end-user subscribes to, credentials are stored (without any particular protection) in a shared preferences file: com.vino.android.sms_preferences.xml.
More disturbing, every time the user tries to send an SMS using this service, the credentials are sent in plain text to the corresponding server of the selected service.
Example:
www.youm[CENSORED].com/LoginVerification.php?name=[USER]&pass=[PASSWORD]&agreement=true&checkvalue=false
www.viv[CENSORED]co.in/freesmsway/sendsms.php?user=[USER]&pass=[PASSWORD]&phno=[SMS_Dest]&msg=[SMS_Body]&gateway=160by2
The riskware contains the following files:
res/anim/rotate_anim.xml
res/layout/admob_preference.xml
res/layout/contact_item.xml
res/layout/contact_list.xml
res/layout/contact_picker.xml
res/layout/date_time_dialog.xml
res/layout/datepicker.xml
res/layout/datetimepicker.xml
res/layout/empty_layout.xml
res/layout/help.xml
res/layout/inbox.xml
res/layout/main.xml
res/layout/sms_custom_list_item2.xml
res/layout/sms_custom_list_item_android.xml
res/layout/sms_custom_list_layout.xml
res/layout/sms_edit_stub_loyout.xml
res/layout/sms_main_list_item.xml
res/layout/sms_main_list_layout.xml
res/layout/sms_phrase_list_layout.xml
res/layout/sms_qqface.xml
res/layout/sms_qqface_grid_view.xml
res/layout/sms_read_layout.xml
res/layout/sms_show_widget_loyout.xml
res/layout/timepicker.xml
res/layout/z_sms_list_normal.xml
res/layout/z_sms_simple_dialog.xml
res/layout/z_write_sms_normal.xml
res/menu/gateways.xml
res/menu/inbox_context_menu.xml
res/menu/main_context_menu.xml
res/menu/main_menu.xml
res/menu/options.xml
res/xml/buttonfocus.xml
res/xml/color_list.xml
res/xml/preferences.xml
res/xml/sms_content_searchable.xml
res/xml/sms_show_widget.xml
AndroidManifest.xml
resources.arsc
res/drawable-hdpi/launcher.png
res/drawable-ldpi/icon.png
res/drawable-mdpi/add_number.xml
res/drawable-mdpi/add_number_default.png
res/drawable-mdpi/add_number_focused.png
res/drawable-mdpi/batch_mode.png
res/drawable-mdpi/bg_widget.png
res/drawable-mdpi/bg_widget_1_1.png
res/drawable-mdpi/bgalt.xml
res/drawable-mdpi/bgnorm.xml
res/drawable-mdpi/bl_btn_bg.png
res/drawable-mdpi/bl_head_bg.png
res/drawable-mdpi/bl_incoming.9.png
res/drawable-mdpi/bl_outgoing.9.png
res/drawable-mdpi/compose_new.xml
res/drawable-mdpi/compose_new_default.png
res/drawable-mdpi/compose_new_focused.png
res/drawable-mdpi/compose_new_gr.xml
res/drawable-mdpi/compose_new_lo.xml
res/drawable-mdpi/de_btn_bg.png
res/drawable-mdpi/empty.png
res/drawable-mdpi/feedback_star.png
res/drawable-mdpi/gr_compose_new.png
res/drawable-mdpi/gr_head_bg.jpg
res/drawable-mdpi/gr_list_bg.jpg
res/drawable-mdpi/gr_outgoing.9.png
res/drawable-mdpi/head_bg.png
res/drawable-mdpi/head_bg_copy.png
res/drawable-mdpi/icon.png
res/drawable-mdpi/icon_group.png
res/drawable-mdpi/icon_me.png
res/drawable-mdpi/inbox_sms.png
res/drawable-mdpi/incoming.9.png
res/drawable-mdpi/lo_compose_new.png
res/drawable-mdpi/lo_head_bg.png
res/drawable-mdpi/lo_incoming.9.png
res/drawable-mdpi/lo_list_bg.jpg
res/drawable-mdpi/lo_list_bg1.jpg
res/drawable-mdpi/lo_outgoing.9.png
res/drawable-mdpi/lock.png
res/drawable-mdpi/log.png
res/drawable-mdpi/menu_help.png
res/drawable-mdpi/menu_share.png
res/drawable-mdpi/more.png
res/drawable-mdpi/next_thread.png
res/drawable-mdpi/notif_icon.png
res/drawable-mdpi/outbox_sms.png
res/drawable-mdpi/outgoing.9.png
res/drawable-mdpi/preferences_icon.png
res/drawable-mdpi/previous_thread.png
res/drawable-mdpi/qqface00.png
res/drawable-mdpi/qqface01.png
res/drawable-mdpi/qqface02.png
res/drawable-mdpi/qqface03.png
res/drawable-mdpi/qqface04.png
res/drawable-mdpi/qqface05.png
res/drawable-mdpi/qqface06.png
res/drawable-mdpi/qqface07.png
res/drawable-mdpi/qqface08.png
res/drawable-mdpi/qqface09.png
res/drawable-mdpi/qqface10.png
res/drawable-mdpi/qqface11.png
res/drawable-mdpi/schedule_disabled.png
res/drawable-mdpi/schedule_enabled.png
res/drawable-mdpi/send_160by2.png
res/drawable-mdpi/send_amitoos.gif
res/drawable-mdpi/send_default.png
res/drawable-mdpi/send_freesms8.PNG
res/drawable-mdpi/send_fullonsms.png
res/drawable-mdpi/send_indyarocks.png
res/drawable-mdpi/send_site2sms.png
res/drawable-mdpi/send_sms440.png
res/drawable-mdpi/send_smsfi.png
res/drawable-mdpi/send_way2sms.png
res/drawable-mdpi/send_youmint.png
res/drawable-mdpi/smiley_btn.png
res/drawable-mdpi/sms_failed.png
res/drawable-mdpi/sms_read_bg.png
res/drawable-mdpi/sms_sending.png
res/drawable-mdpi/sms_simple_dialog_bg.png
res/drawable-mdpi/sms_unread_bg.png
res/drawable-mdpi/telephone_black.png
res/drawable-mdpi/telephone_black_focused.png
res/drawable-mdpi/telephone_icon.xml
res/drawable-mdpi/unknown_contact.png
res/drawable-mdpi/wh_btn_bg.png
res/drawable-mdpi/wh_head_bg.png
res/drawable-mdpi/wh_incoming.9.png
res/drawable-mdpi/wh_main_bg.png
res/drawable-mdpi/wh_outgoing.9.png
res/drawable-mdpi/write_sms.png
res/layout-port/sms_main_setting.xml
res/layout-port/sms_on_reciver_simple.xml
res/layout-port/z_common_word.xml
res/layout-port/z_list_item.xml
classes.dex
META-INF/MANIFEST.MF
META-INF/CERT.SF
META-INF/CERT.RSA


Permissions required by the riskware:
  • Permission to send SMS
  • Permission to receive SMS
  • Permission to call a phone number
  • READ_CONTACTS
  • INTERNET
  • VIBRATE
The riskware connects to Internet.
It contacts the following URLs:
  • hxxp://XXXXXms8.in/Free-SMS-Select-Country.aspx
  • hxxp://XXXXXnsms.com/Register.php
  • hxxp://XXXXX.way2sms.com/jsp/UserRegistration.jsp
  • hxxp://XXXXX0.com/indexReg.aspx
  • hxxp://XXXXXdia.in/user/registeration.aspx
  • hxxp://XXXXXside.com/signup.php
  • hxxp://XXXXX.co.in/free_sms_way.php?check_update
  • hxxp://XXXXX.co.in/freesmsway/sendsms.php
  • hxxp://XXXXX60by2.com/UserReg
  • hxxp://XXXXXmitoos.com/
  • hxxp://XXXXXndyarocks.com/register_step1.php
  • hxxp://XXXXXite2sms.com/userregistration.asp
  • hxxp://XXXXXmsfi.com/registration
  • hxxp://XXXXXvchannelsfree.com/logtest.php
  • hxxp://XXXXXoumint.com
  • hxxp://XXXXXoumint.com/
  • hxxp://XXXXXoumint.com/FreeSmsNri.php
  • hxxp://XXXXXoumint.com/LoginVerification.php?name=
  • hxxp://XXXXXoumint.com/Logout.html
  • hxxp://XXXXXoumint.com/SendingSms.php?ToMobileNumber=
It posts information to remote servers.
The riskware uses the following adkits:
  • AirPush
  • Google Ads

Certificate information:
Owner : CN=Vinothkumar Arputharaj
Serial number: 4f031019

Recommended Action

    FortiGate Systems
  • Check the main screen using the web interface for your FortiGate unit to ensure that the latest AV/NIDS database has been downloaded and installed on your system - if required, enable the "Allow Push Update" option.
    FortiClient Systems
  • Quarantine/delete files that are detected and replace infected files with clean backup copies.