Clicky

Monday, May 13, 2013

Android SMSSpy / SMSSender / Nopoc.A



Sample credit: Jihong Park



Size: 253578
MD5:  74E09C5F57D5A040C86A86CDAD7F04FA



Download:  (Email me if you need the pass scheme for the newer samples)






Virustotal results 
https://www.virustotal.com/en/file/0f540a52242e6d97e12ad9d85e8523f9aee788ac8566284055e91155568da714/analysis/1368445857/

Comodo UnclassifiedMalware 20130513
F-Secure Trojan:Android/SmsSpy.O 20130513
TrendMicro-HouseCall TROJ_GEN.F47V0503 20130513
Kaspersky HEUR:Trojan-Spy.AndroidOS.SmForw.i 20130513
Avast Android:SMForw-K [Trj] 20130513
Fortinet Android/SmsSend.AM 20130513
AVG Android/ClickerAgent 20130513
Emsisoft Android.Trojan.SmsSpy.Q (B) 20130513
MicroWorld-eScan Android.Trojan.SmsSpy.Q 20130513
BitDefender Android.Trojan.SmsSpy.Q 20130513
GData Android.Trojan.SmsSpy.Q 20130513
Kingsoft Android.Troj.at_SmForw.e.(kcloud) 20130506
DrWeb Android.SmsForward.2.origin 20130513
CAT-QuickHeal Android.SmForw.B 20130513
Sophos Andr/SmsSend-AM 20130513
ESET-NOD32 a variant of Android/Spy.Nopoc.A 20130513


 Risk summary
 The studied DEX file makes use of API reflection
 Permissions that allow the application to manipulate SMS
 Permissions that allow the application to perform payments
 Permissions that allow the application to access Internet
 Permissions that allow the application to access private information
 Other permissions that could be considered as dangerous in certain scenarios
 Required permissions
android.permission.SEND_SMS (send SMS messages)
android.permission.READ_PHONE_STATE (read phone state and identity)
android.permission.RECEIVE_SMS (receive SMS)
android.permission.INTERNET (full Internet access)
 Permission-related API calls
ACCESS_NETWORK_STATE
READ_PHONE_STATE
VIBRATE
INTERNET
 Main Activity
com.Copon.MainActivity
 Activities
com.Copon.MainActivity
 Services
com.Copon.clService
 Receivers
com.Copon.SMS
 Activity-related intent filters
com.Copon.MainActivity
actions: android.intent.action.MAIN
categories: android.intent.category.LAUNCHER
 Receiver-related intent filters
com.Copon.SMS
actions: android.provider.Telephony.SMS_RECEIVED
 Code-related observations
The application does not load any code dynamically
The application contains reflection code
The application does not contain native code
The application does not contain cryptographic code
 Application certificate information

 Application bundle files

C2:
http:// 125.192.90. 17/tm/login.php

No comments:

Post a Comment