[Security] SMS Trojans: all around the world
In the middle of July I wrote about porn SMS senders which covertly subscribed users to a range of premium-rate services with the promise of raunchy images. These applications were targeting users from the US, Malaysia, the Netherlands, the UK, Kenya and South Africa. At the end of that blog post I wrote that ‘…the appearance of several applications which use premium rate SMS messages and target users from completely different countries leads us to the conclusion that it’s no longer just a problem in Russia and China, unfortunately’.
Now this problem has evolved to SMS Trojans which target users from a number of European countries and Canada. Yes, these SMS Trojans don’t target either Russian or Chinese smartphone users.
According to the messages we found on Internet forums, the first infections were reported in early September. Somebody downloaded an application to manage and monitor his own SMS/MMS messages, calls and traffic. After launching this application it displayed the message that it was not compatible with the user’s Android version. And then the user’s mobile account was emptied.
We tracked down this application and unsurprisingly it turned up to be an SMS Trojan which sends 4 SMS messages to premium rate numbers. We detect it as Trojan-SMS.AndroidOS.Foncy.
It was spread via a file hosting website with the name ‘SuiConFo.apk’. After installation, it appears on the main menu of Android smartphones:
There are 2 main malicious classes of this Trojan: ‘MagicSMSActivity.class’ and ‘SMSReceiver.class’. The first is mainly responsible for sending SMS messages, while the second is used to hide incoming messages from specific numbers. As mentioned above, after launching this app shows an ‘Android version is not compatible’ error message:
Right after displaying this message the Trojan will call the public method getSimCountryIso in theTelephonyManager class in order to retrieve the ISO country code of the SIM card:
After that, the malware defines the variables ‘s1’ (SMS number) and ‘s2’ (SMS text):
The list of countries consists of 8 options: France (81001 SMS number), Belgium (9903 SMS number), Switzerland (543 SMS number), Luxembourg (64747 SMS number), Canada (60999 SMS number), Germany (63000 SMS number), Spain (35064 SMS number), and the UK (60999 SMS number).
It looks like the virus writers made a mistake in the code. The Trojan will send an SMS message using theSmsManager class with the sendTextMessage method:
smsmanager.sendTextMessage(s1, null, s2, pendingintent, pendingintent1)where ‘s1’ is a number and ‘s2’ is a text. These variables are defined correctly for all countries except Canada:
s1 = "SP";
s2 = "60999";
s1 = "SP";
s2 = "60999";
After defining the country and, therefore, the number and message text, the Trojan will send 4 SMS messages with the help of the sendTextMessage method as mentioned above.
SMSReceiver.class is responsible for hiding incoming SMS messages from particular numbers. If there is an incoming SMS message from one of the following numbers: 81001, 35064, 63000, 9903, 60999, 543, 64747, then the Trojan will try to hide it using the abortBroadcast method. The number itself is retrieved from the SMS message with the help of getDisplayOriginatingAddress.
There is another interesting thing lurking inside this malware. If you look at this part of the code:
you may notice that after hiding the incoming message (abortBroadcast) this Trojan will send one more SMS to a French cell phone number with the text stored in the ‘s’ variable. And that ‘s’ variable is defined with the help of the getMessageBody method when an incoming SMS message arrives.
In other words, the Trojan will send an SMS message to a French cell phone number with the text taken from a reply from a premium rate number. This may help the cybercriminals find out how many premium SMS messages have been sent.
Unfortunately, today SMS Trojans are one the easiest ways for cybercriminals to make easy money fast. Malicious use of premium rate SMS services is spreading around the world, and I’m pretty sure it’s not going to stop any time soon. We’ll keep you posted.