VirusRiskware/SmsCred!Android
Analysis
Riskware/SmsCred!Android is an application to send free SMS messages internationally. The application helps the end-user register to various free services which offer free SMS sending.
This registration step is done with user's consent.
The problem is that the credentials the end-user uses for each of those services are leaked in clear text each time the end-user sends an SMS.
Technical Details
The malicious application is typically named Free SMS Way.
It comes packaged as com.vino.android.sms.
For each service the end-user subscribes to, credentials are stored (without any particular protection) in a shared preferences file: com.vino.android.sms_preferences.xml.
More disturbing, every time the user tries to send an SMS using this service, the credentials are sent in plain text to the corresponding server of the selected service.
Example:
www.youm[CENSORED].com/LoginVerification.php?name=[USER]&pass=[PASSWORD]&agreement=true&checkvalue=false www.viv[CENSORED]co.in/freesmsway/sendsms.php?user=[USER]&pass=[PASSWORD]&phno=[SMS_Dest]&msg=[SMS_Body]&gateway=160by2The riskware contains the following files:
res/anim/rotate_anim.xml res/layout/admob_preference.xml res/layout/contact_item.xml res/layout/contact_list.xml res/layout/contact_picker.xml res/layout/date_time_dialog.xml res/layout/datepicker.xml res/layout/datetimepicker.xml res/layout/empty_layout.xml res/layout/help.xml res/layout/inbox.xml res/layout/main.xml res/layout/sms_custom_list_item2.xml res/layout/sms_custom_list_item_android.xml res/layout/sms_custom_list_layout.xml res/layout/sms_edit_stub_loyout.xml res/layout/sms_main_list_item.xml res/layout/sms_main_list_layout.xml res/layout/sms_phrase_list_layout.xml res/layout/sms_qqface.xml res/layout/sms_qqface_grid_view.xml res/layout/sms_read_layout.xml res/layout/sms_show_widget_loyout.xml res/layout/timepicker.xml res/layout/z_sms_list_normal.xml res/layout/z_sms_simple_dialog.xml res/layout/z_write_sms_normal.xml res/menu/gateways.xml res/menu/inbox_context_menu.xml res/menu/main_context_menu.xml res/menu/main_menu.xml res/menu/options.xml res/xml/buttonfocus.xml res/xml/color_list.xml res/xml/preferences.xml res/xml/sms_content_searchable.xml res/xml/sms_show_widget.xml AndroidManifest.xml resources.arsc res/drawable-hdpi/launcher.png res/drawable-ldpi/icon.png res/drawable-mdpi/add_number.xml res/drawable-mdpi/add_number_default.png res/drawable-mdpi/add_number_focused.png res/drawable-mdpi/batch_mode.png res/drawable-mdpi/bg_widget.png res/drawable-mdpi/bg_widget_1_1.png res/drawable-mdpi/bgalt.xml res/drawable-mdpi/bgnorm.xml res/drawable-mdpi/bl_btn_bg.png res/drawable-mdpi/bl_head_bg.png res/drawable-mdpi/bl_incoming.9.png res/drawable-mdpi/bl_outgoing.9.png res/drawable-mdpi/compose_new.xml res/drawable-mdpi/compose_new_default.png res/drawable-mdpi/compose_new_focused.png res/drawable-mdpi/compose_new_gr.xml res/drawable-mdpi/compose_new_lo.xml res/drawable-mdpi/de_btn_bg.png res/drawable-mdpi/empty.png res/drawable-mdpi/feedback_star.png res/drawable-mdpi/gr_compose_new.png res/drawable-mdpi/gr_head_bg.jpg res/drawable-mdpi/gr_list_bg.jpg res/drawable-mdpi/gr_outgoing.9.png res/drawable-mdpi/head_bg.png res/drawable-mdpi/head_bg_copy.png res/drawable-mdpi/icon.png res/drawable-mdpi/icon_group.png res/drawable-mdpi/icon_me.png res/drawable-mdpi/inbox_sms.png res/drawable-mdpi/incoming.9.png res/drawable-mdpi/lo_compose_new.png res/drawable-mdpi/lo_head_bg.png res/drawable-mdpi/lo_incoming.9.png res/drawable-mdpi/lo_list_bg.jpg res/drawable-mdpi/lo_list_bg1.jpg res/drawable-mdpi/lo_outgoing.9.png res/drawable-mdpi/lock.png res/drawable-mdpi/log.png res/drawable-mdpi/menu_help.png res/drawable-mdpi/menu_share.png res/drawable-mdpi/more.png res/drawable-mdpi/next_thread.png res/drawable-mdpi/notif_icon.png res/drawable-mdpi/outbox_sms.png res/drawable-mdpi/outgoing.9.png res/drawable-mdpi/preferences_icon.png res/drawable-mdpi/previous_thread.png res/drawable-mdpi/qqface00.png res/drawable-mdpi/qqface01.png res/drawable-mdpi/qqface02.png res/drawable-mdpi/qqface03.png res/drawable-mdpi/qqface04.png res/drawable-mdpi/qqface05.png res/drawable-mdpi/qqface06.png res/drawable-mdpi/qqface07.png res/drawable-mdpi/qqface08.png res/drawable-mdpi/qqface09.png res/drawable-mdpi/qqface10.png res/drawable-mdpi/qqface11.png res/drawable-mdpi/schedule_disabled.png res/drawable-mdpi/schedule_enabled.png res/drawable-mdpi/send_160by2.png res/drawable-mdpi/send_amitoos.gif res/drawable-mdpi/send_default.png res/drawable-mdpi/send_freesms8.PNG res/drawable-mdpi/send_fullonsms.png res/drawable-mdpi/send_indyarocks.png res/drawable-mdpi/send_site2sms.png res/drawable-mdpi/send_sms440.png res/drawable-mdpi/send_smsfi.png res/drawable-mdpi/send_way2sms.png res/drawable-mdpi/send_youmint.png res/drawable-mdpi/smiley_btn.png res/drawable-mdpi/sms_failed.png res/drawable-mdpi/sms_read_bg.png res/drawable-mdpi/sms_sending.png res/drawable-mdpi/sms_simple_dialog_bg.png res/drawable-mdpi/sms_unread_bg.png res/drawable-mdpi/telephone_black.png res/drawable-mdpi/telephone_black_focused.png res/drawable-mdpi/telephone_icon.xml res/drawable-mdpi/unknown_contact.png res/drawable-mdpi/wh_btn_bg.png res/drawable-mdpi/wh_head_bg.png res/drawable-mdpi/wh_incoming.9.png res/drawable-mdpi/wh_main_bg.png res/drawable-mdpi/wh_outgoing.9.png res/drawable-mdpi/write_sms.png res/layout-port/sms_main_setting.xml res/layout-port/sms_on_reciver_simple.xml res/layout-port/z_common_word.xml res/layout-port/z_list_item.xml classes.dex META-INF/MANIFEST.MF META-INF/CERT.SF META-INF/CERT.RSA
Permissions required by the riskware:
- Permission to send SMS
- Permission to receive SMS
- Permission to call a phone number
- READ_CONTACTS
- INTERNET
- VIBRATE
It contacts the following URLs:
- hxxp://XXXXXms8.in/Free-SMS-Select-Country.aspx
- hxxp://XXXXXnsms.com/Register.php
- hxxp://XXXXX.way2sms.com/jsp/UserRegistration.jsp
- hxxp://XXXXX0.com/indexReg.aspx
- hxxp://XXXXXdia.in/user/registeration.aspx
- hxxp://XXXXXside.com/signup.php
- hxxp://XXXXX.co.in/free_sms_way.php?check_update
- hxxp://XXXXX.co.in/freesmsway/sendsms.php
- hxxp://XXXXX60by2.com/UserReg
- hxxp://XXXXXmitoos.com/
- hxxp://XXXXXndyarocks.com/register_step1.php
- hxxp://XXXXXite2sms.com/userregistration.asp
- hxxp://XXXXXmsfi.com/registration
- hxxp://XXXXXvchannelsfree.com/logtest.php
- hxxp://XXXXXoumint.com
- hxxp://XXXXXoumint.com/
- hxxp://XXXXXoumint.com/FreeSmsNri.php
- hxxp://XXXXXoumint.com/LoginVerification.php?name=
- hxxp://XXXXXoumint.com/Logout.html
- hxxp://XXXXXoumint.com/SendingSms.php?ToMobileNumber=
The riskware uses the following adkits:
- AirPush
- Google Ads
Certificate information:
Owner : CN=Vinothkumar Arputharaj
Serial number: 4f031019
Recommended Action
- FortiGate Systems
- Check the main screen using the web interface for your FortiGate unit to ensure that the latest AV/NIDS database has been downloaded and installed on your system - if required, enable the "Allow Push Update" option.
FortiClient Systems
- Quarantine/delete files that are detected and replace infected files with clean backup copies.
