Overblog
Editer l'article Suivre ce blog Administration + Créer mon blog
4 avril 2012 3 04 /04 /avril /2012 00:07

 

The mobile malware (are we gonna call it mobalware someday?) fashion seems to copy the regular malware one... maybe somewhat a little bit faster.

 

Anyway, I was keen on an app aiming to improve standard Android  SMS reader/writer. The app is called ChompSMS. There is a free version, and a paid version. I'm going to talk here about the free one.

 

One day, recently, I noticed the add being displayed while browsing the SMS had changed.

 

 Here are a few examples of the banners I find interesting:

 

batt_-banner1_chompSMS_annon.png

 

batt_banner2_ChomSMS_annon.png

 

 

batt_banner3_chompSMS_annon.png

 

 

See the banner right in the bottom of the screen?

So, if I click on it, the real part begins.

 

batt2.png

 

 

Obviously, I will not have the choice here... only the orange button ("next"). This is what I'm here for: let's click on it!

 

 

 batt_alert2_040412.png

 

The displayed instructions are worth reading :)  everything is done to convince the user to download, install, and activate whatever is gonna be downloaded... and by the way, they also recommend to enable "unknown sources" of software...!

 

What about the antivirus? well, not bad on that one.

Webroot will indeed detect and alert:

webroot_alert1_040412.png 

And DrWeb will do the same:

 

drweb_alert1_040412.png 

Note that even the file name is thoroughly defined: "battery_upgrade--tap_to_start", even with a reminder : "tap to start"!

 

Now, where does this come from?

Let's watch the network traffic that ChompSMS generates just after having opened/launched:

HTTP_trafic_CHompSMS_Ads_040412.png 

 Bingo, here is the real and complete ad URL:

http://www.mmnetwork.mobi/s.php?sig=5942e84d7db11dc54eda6157a3c2bc7a&adid=480&banner=320_50&cid=89&advid=846&e=c8&d=92888&f=m&ua=Mozilla%2F5.0+%28Linux%3B+U%3B+Android+2.3.3%3B+fr-fr%3B+GT-I9100+Build%2FGINGERBREAD%29+AppleWebKit%2F533.1+%28KHTML%2C+like+Gecko%29+Version%2F4.0+Mobile+Safari%2F533.1

It will return the exact banner we have seen at the bottom of the ChompSMS screen just above.

But having a look at the URL reveals something else:

- OS version, generic:  value here is "linux" 

- OS version, detailed: Android 2.3.3

- local language: fr-fr

- build version: Gingerbread

- browser rendering engine: AppleWebkit, 533.1?

- browser compatibility: KHTML like Gecko version 4.0

- browser internal name: Mobile Safari,  533.1?

All I can say so far, except that this is a real fingerprint of the device, is this will allow the ad (and the scareware) to target devices configurations, and be more efficient.

Same thing for this other URL:

http://ads.mojiva.com/ad?site=14717&ua=Mozilla%2F5.0+%28Linux%3B+U%3B+Android+2.3.3%3B+fr-fr%3B+GT-I9100+Build%2FGINGERBREAD%29+AppleWebKit%2F533.1+%28KHTML%2C+like+Gecko%29+Version%2F4.0+Mobile+Safari%2F533.1&ip=82.237.173.18&count=1&key=1&zone=19352&url=&premium=1&over_18=0&&udid=848053C87A05BDEB3EE36C8919CD4CD1&type=6  

 

Then when we click the ad system will display a first picture, as an ad:

http://admarvel.s3.amazonaws.com/ads/c46767/13307072869253_UNL_st2_480x600_FR_everything.gif

13307072869253_UNL_st2_480x600_FR_everything.gif 

 

And even a second one!

http://admarvel.s3.amazonaws.com/ads/c48174/13317172538745_LYRICPLAY_FR_480X600.gif

13317172538745_LYRICPLAY_FR_480X600.gif
 

Then the ad system will do something I guess to be a "call home":

http://107.22.117.140/fam/ck.php?p=__pid=ef8a30b841b36346__sid=14488__bid=352249__cb=0654201044__h=1333491475__uid=292b5557482687e4__s=7789be62e6c35a07fe085f54d7d9fe26

http://107.22.117.140/fam/view.php?p=__pid=ef8a30b841b36346__sid=14488__bid=352249__cb=c32f363568__h=1333491475__uid=292b5557482687e4__s=782405e716ee038035c5457a2cb05672

 

http://adserver.adtechus.com/addyn/3.0/5326.1/2335977/0/0/ADTECH;noperf=1;loc=100;ip=82.237.173.18;key=Samsung_Galaxy+S2;kvip=82.237.173.18;kvcarrier=;misc=1333492265028;target=_self;kvmedition=$edition;kvos=Android;sub1=99f50d6b93f7d3f36b56c4d082a57a135d92caf8;sub2=8ADD4216FF9A40854591929EB3BC02CC081EA2FE;sub3=6568cf499469dbc79707fba422cfd36f;sub4=848053C87A05BDEB3EE36C8919CD4CD1;
 

I can even see here the mobile IP address, and the model (Galaxy S2! 


Last, but not least, the download will start:

Url: https://s3.amazonaws.com/battery.supercharge/downloads/m--france--2012-03-28.a-en-9.apk?AWSAccessKeyId=AKIAIADYPOKA37DVGHGQ&Expires=1649026622&response-content-disposition=attachment;%20filename=Battery_Upgrade--Tap_to_Start.apk&response-content-type=application/vnd.android.package-archive&Signature=TZCWnCk5wbn%2BeoL1WCkcqfky3pw%3D FileName: /mnt/sdcard/.downloadTemp/Battery_Upgrade--Tap_to_Start.apk  

 

About the file?

VirusTotal says 7 AV our of 42 detect it...

SHA1: afdf9c78e0e1bc41192664ba3040908c18d72a3a
MD5: 1e67b070accd8d71024f240504b59140
File size: 529.3 KB ( 541956 bytes )
File name: Battery_Upgrade--Tap_to_Start.apk
File type: Android
Detection ratio: 7 / 42
Analysis date: 2012-04-03 23:28:47 UTC ( 3 minutes ago )

 

https://www.virustotal.com/file/6e129566f5139532c18779ae96c4f228a15d27032081d46f486ae029c4d6dce7/analysis/1333495727/

 

 More to come... 

Partager cet article

Repost0

commentaires