Late last year, we encountered an SMS Trojan called Trojan-SMS.AndroidOS.Podec which used a very powerful legitimate system to protect itself against analysis and detection. After we removed the protection, we saw a small SMS Trojan with most of its malicious payload still in development. Before long, though, we intercepted a fully-fledged version of Trojan-SMS.AndroidOS.Podec in early 2015.
The updated version proved to be remarkable: it can send messages to premium-rate numbers employing tools that bypass the Advice of Charge system (which notifies users about the price of a service and requires authorization before making the payment). It can also subscribe users to premium-rate services while bypassing CAPTCHA. This is the first time Kaspersky Lab has encountered this kind of capability in any Android-Trojan.
This article discusses Trojan-SMS.AndroidOS.Podec, version 1.23 (the version was identified from analyzing its code). The hash sums are:
This version of the Trojan circulates in Russia and neighboring countries.
|Country||Number of attempts to infect unique users|
The number of infections over time:
Number of attempts to infect unique users
Sources of Infection
According to statistics collected with the help of Kaspersky Security Network, the main sources from which the Trojan in our study spreads are various domains with imposing names (Apk-downlad3.ru, minergamevip.com, etc.), as well as the servers of the popular Russian social network VKontakte (VK, vk.com) that are used to store users' content.
A pie chart of file infection sources
As we see, in most cases the infection is sourced from the social network's servers. Unfortunately, VK's file storage system is anonymous, so there is no way to analyze how malware emerges from it. However, further research identified a number of communities that distribute Trojan-SMS.AndroidOS.Podec on this social network:
(The Russian names of these groups refer to cracking Android games in some form)
All the groups listed here were filled with similar content: images, links and messages.
Each group is about one or more cracked games. The cybercriminals seem to be hoping that potential victims will be attracted by the chance to get free access to content that is usually paid-for.
Nearly all messages on the groups' walls are links leading to sites purportedly containing Android games and applications. The same is true for the "Links" section. In reality, the only purpose these sites served was to spread different versions of Trojan-SMS.AndroidOS.Podec.
Eight groups in the social network with similar visual designs
These groups have a lot in common: the way in which they are managed and designed (e.g. using keywords in place of descriptions, an abundance of simple broad-language messages characteristic of bots, etc.), the links they host to fake sites that seem to be copies of one idea. This suggests that black SEO (Search Engine Optimization) specialists were involved in distributing the Trojan. The above practices help bring links to the malicious resources (sites and groups) closer to the top of search engine results, attracting yet more visitors.
All these clone communities have the same administrator, who is a VK user identified as 'kminetti'. These communities are also advertised on that user's personal page. The user's account was created on 12 October 2011; in 2012, the account's wall started hosting links to sites and communities spreading malicious applications for mobile devices.
Examples of messages posted by the administrator of the malicious communities
Earlier, this account was used as a bot hosting links to web resources to increase their citation indexes (CI).
Examples of the posts placed by the communities' administrator to increase CIs of third-party resources
It can be concluded from all of the above that the VKontakte social network is the main vehicle for distributing Trojan-SMS.AndroidOS.Podec.
The Infection Procedure
The mobile Trojan sample that became available for Kaspersky Lab's analysts masquerades as a popular application, 'Minecraft Pocket Edition'. The file is 688 Kbyte in size, which may be an advantage in the eyes of inexperienced users with a slow and/or expensive Internet access. The official Minecraft application is 10 to 13 MB in size.
When launched, the application asks for device administrator privileges. This step makes sure that neither user nor a security solution can subsequently delete the Trojan. If the user rejects the request, the Trojan keeps repeating it until the privilege is granted. This process effectively blocks the normal use of the device.
Privilege escalation request
When Trojan-SMS.AndroidOS.Podec receives the requested escalated privileges, the legitimate Minecrast app is downloaded from a third-party resource and installed on the SD card. This behavior follows the instructions provided in the configuration file that comes alongside with the Trojan; the same file specifies the link to the legitimate APK file. However, the configuration file does not always contain a link to the application; in this case, the Trojan simply stops any activities observable by the user after it receives the requested privilege escalation.
Part of the configuration file containing the link to legitimate Minecraft installation file
Then the Trojan deletes its shortcut from the apps list and replaces it with the real Minecraft shortcut. However, traces of the Trojan's presence remain in the install apps list and in the device administrators' list:
The option of deleting the malicious app is deactivated. If the device user later seeks to de-escalate the Trojan's privileges the machine responds with weird and unsettling behavior: the screen locks, then shuts down for some moments. When the screen comes back on the device displays the configuration menu and there is no evidence of any attempt to strip the malicious app of its admin privileges.
Protection against analysis
The cybercriminals apparently invested serious time and effort into developing Trojan-SMS.AndroidOS.Podec, as demonstrated by the techniques used to prevent code analysis. As well as introducing garbage classes and obfuscation into the code, the cybercriminals used an expensive legitimate code protector which makes it fairly difficult to gain access to the source code of the Android application. This protector provides code integrity control tools, hides calls of all methods and manipulations involving class fields, and encrypts all strings.
Here is an example of protected code:
This is the same code after the protection is removed:
Managing the Trojan
Trojan-SMS.AndroidOS.Podec's activities are managed using C&C servers. The system works like this. First the Trojan contacts a C&C server via an HTTP protocol, and waits for an SMS with instructions. Trojan-SMS.AndroidOS.Podec has a main and a backup list of C&C domain names – a specific C&C server is chosen from the list following a random algorithm. If there is no response from that server within 3 days, a C&C from the backup list is used. This implements an adaptive algorithm to connect to a C&C server, which works even if specific domain names are blocked.
The C&C domain names and the entire traffic (both HTTM and SMS) are encrypted with AES encryption algorithm in CBC/NoPadding mode with a 128 bit key. The encryption key and the initialization vector are originally located in the file fXUt474y1mSeuULsg.kEaS (the name of this file changes from version to version), located in the 'assets' folder of the app source. Most of the file content is junk; useful information is contained between tags, appearing in the form of [a]string[/a].
From the strings between tags, the required encryption parameters (the key and the vector) are obtained in an encrypted form. Then they are decrypted by simply replacing one substring with others.
After decryption the commands form an XML document, in which the tags represent specific commands, and the contents of tags are command parameters. Below is the list of Trojan-SMS.AndroidOS.Podec capabilities implemented via commands:
- Collect information about the device (cell phone service provider, IMEI, phone number, interface language, country and city, etc.)
- Collect a list of installed applications.
- Receive information about USSD.
- Send SMS messages.
- Set a filter on incoming messages.
- Set filters on incoming and outgoing calls.
- Display advertisements to the user (display a separate notification, open an advertisement page, start a dialog, and other ways to show commercial content)
- Delete messages, as specified
- Delete call records, as specified
- Upload the source HTML code of a specified page to the cybercriminals' server.
- Perform a DDoS attack. Ramp up website visitor counters.
- Subscribe the user to paid content.
- Do a self-update.
- Perform an outgoing call.
- Export incoming messages according to conditions specified by C&C.
- Delete an app, as instructed by C&C.
Even a quick analysis of the Trojan's executable code reveals an abundance of ways of working with HTML and HTTP. As well as features regarded as standard for this type of Trojans (e.g. sending and intercepting text messages, placing phone calls, manipulations with SMSs and call logs), Trojan-SMS.AndroidOS.Podec can also configure web page visits and send their code to C&C. However, this Trojan's most interesting feature is its CAPTCHA recognition capability.
A flow chart of Trojan-SMS.AndroidOS.Podec in operation is provided below.
Thus, the web resource's communication capabilities are the source of two different threats:
- The Trojan contains functions with which one can launch a simple HTML Flood DDoS attack. The associated strings in the configuration file are as follows:
- One of the most dangerous capabilities in Trojan-SMS.AndroidOS.Podec is the use of configurable webpage visit rules, with CAPTCHA recognition supported. With this, the Trojan can subscribe the user to premium-rate subscriptions without the user's knowledge or consent. This capability is unique to this Trojan, so let us review it in more detail.
The resulting link is loaded; the function sleep() is called with the parameter 'seconds'. This process is repeated as often as the 'limit' parameter specifies.
The scheme used by the cybercriminals enables them to configure the frequency and number of access attempts; therefore, it can be used to ramp up web site visitor counters, thus generating profits from advertising and from partnership programs.
There are two main models of subscribing to content on a web resource:
- Pseudo-subscription. In this model, users visit a web resource and enter their phone numbers. An SMS is then sent, asking users to pay for the service by sending a reply message with any text. When users send that message, a certain amount of money is deducted from their phone accounts, depending on the specific service provider's prices. These messages arrive automatically, and users make up their minds each time whether to send the reply message or not. It is for this reason that this model is often referred to as pseudo-subscription.
- MT subscription. In this model, users enter their mobile phone numbers on a web page and receive an SMS with a validation code. Then users enter that code on the service provider's website, accepting the subscription terms and conditions. After that, the service provider will automatically deduct the sum stipulated in the subscription terms and conditions from the subscriber's account. In the Russian segment of the Internet, a number of partnership contracts are available that can aggregate this type of payments. This means that the cybercriminals do not have to directly deal with the cellular service providers when they create a service to which users can subscribe to paid content; partnership programs will do the agent's job. Under this model, the revenue is lower for the service creators, but the financial transactions are more anonymous.
Subscribing to paid services through a Trojan can be costly for users. In case of pseudo-subscriptions, one reply message may cost between $0.5 and $10. In case of MT subscription, the price in each specific case is agreed directly with the mobile service provider via the partnership program. The most dangerous factors here are that money is deducted 1) covertly and 2) on a regular basis. Users who are subscribed to several such "sources of content" may have to spend a lot of time and effort trying to find out where and how money from their accounts is going.
Example of the Trojan in operation
We were able to intercept Trojan-SMS.AndroidOS.Podec's communication with its C&C server. This communication session unfolded as follows:
- The RuMaximum.com website was accessed – this site provides online test services for users. To get their results, users have to subscribe to the site.
- With a GET request, the Trojan imitates a user taking a test. Then it finishes with a link that looks like http://rumaximum.com/result.php?test=0&reply=0&reply=0&reply=0&reply=0&reply=0&reply=0&reply=0&reply=0&reply=0&reply=0. This URL leads to the following web document:
- After the user enters a phone number, a unique "landing page" of the service provider is generated, demanding a CAPTCHA authentication and for a validation code that was sent to the phone by SMS. The Trojan fills out both fields and validates the subscription. Then, the user is redirected to the test results via the e-commerce system totmoney.ru.
This test in Russian is "What type of dog is most like you?"
Results of the test "What type of dog are you similar to?"
"Yes, I am 18 years old or older, and I consent to the Terms and Conditions below.
Enter your phone number."
Results of the test "What type of dog are you similar to?"
You are a German shepherd, a versatile dog. You can guard the state border or help the blind across the street. You learn things easily and keep your head cool in any circumstances. A good manager too!
The Trojan does all of these actions automatically using the configuration sent from the C&C. The victim, however, has no idea that any of this is happening.
Paid subscription capability
In the XML configuration sent from the C&C server, there is a field which subscribes the user to paid content. It looks like this:
Let's have a closer look at the configuration field:
- verify is an array of strings with the separator "-S-". It contains the information required to obtain the CAPTCHA value.
- service is the accessed service;
- search is an array of strings with the separator "-S-", used to search for substrings in the link and to take a decision about the appropriate type of subscription depending on the search results;
- images is not used in this version;
- actions is an array of strings with the separator "-S-". Contains the final links that the services follows to initiate/complete the subscription process;
- type is request type;
- source indicates whether the webpage's source code should be sent to C&C;
- domain: If the page's source code should be sent to C&C, domain indicates the destination C&C.
verify: if this field is not equal to zero, CAPTCHA recognition is required, otherwise further processing is done. This may contain the image file in base64 coding (done for processing static images and CAPTCHA), or an image ID;
verify is the key of the service 'http://antigate.com' used to recognize CAPTCHA and required to login at the service;
verify is the minimum image length, used for housekeeping purposes;
verify is the maximum image length, used for housekeeping purposes;
verify is the language of the symbols in the image.
The webpage source code is required for cybercriminals to analyze the structure and to prepare an appropriate configuration for the paid subscription module. Also, this service provides source codes of webpages to ensure that the page's code is received in a form that can be used to show it to the victim. This makes it easier for the cybercriminals to analyze the page and start the subscription.
The function which completes the subscription to paid content is located in the class CustomWebView, which is inherited from the class WebViewClient. In it, the method onLoadResource was redefined (this method is used to get a link to the image), as was the onPageFinished method,which is used to post-process the loaded web-resource. Post-processing is based on analyzing the configuration and then visiting the required links with the help of the loadUrl function. When required, the CAPTCHA processor is called as well.
Different partnership programs have different requirements from the design of a web resource where subscription tools will be hosted. For instance, there is often a requirement that for a CAPTCHA module to confirm that the request was not made from a bot. In most cases, the partnership program forwards the browser to the service provider's site where users are prompted to enter a CAPTCHA code to confirm their subscription requests. As explained above, Trojan-SMS.AndroidOS.Podec's key characteristic is that it can bypass CAPTCHA protection systems.
Trojan Podec can subscribe users to premium-rate services while bypassing CAPTCHATweet
The CAPTCHA processor communicates with the service Antigate.com which provides image-to-text manual recognition services. Here is what the service says on its web-page:
Antigate.Com is an online service which provides real-time captcha-to-text decodings. This works easy: your software uploads a captcha to our server and receives text from it within seconds.
In other words, the text from the CAPTCHA image is recognized by a person working for this service. According to the information Antigate.com provides on its website, most of its workers are based in India.
Distribution of Antigate.com employees between countries
The Trojan communicates with Antigate.com via an HTTP API service: a POST request is used to the send the image containing a text to be recognized; then, with the help of GET requests, the recognition status is monitored. The recognized result (if received in reasonable time) is inserted into the links from the 'actions' field of the received configuration. Then the links are opened with the help of the loadUrl()function.
If the subscription mechanism requires SMS validation the Trojan uses the filter set by the cybercriminals to search for the message containing the validation code, and uses regular expressions to extract the code from there.
The general subscription procedure
General flow chart of subscription to paid content
In general, the model of subscribing to paid content consists of the Observer SubscribeService which listens to the events as they occur in the HTMLOUT interface. When data (a downloaded page) is received from there, it is sent to C&C with the help of the class Submitter, which inherits the class AsyncTask. Also, SubscribeService accepts command parameters from the manager routine as input, initializes CustomWebView and starts to process the task with the help of SubscribeTask. SubscribeTask launches CustomWebView in which input parameters are processed, and decision is made about how the subscription should be performed. If required, CaptchaProcessor is launched, which is responsible for communications with the text recognition service and handling the requests that require validation code and the characters from the CAPTCHA image.
From the analysis of Trojan-SMS.AndroidOS.Podec samples that arrived earlier, we can conclude that the Trojan is under ongoing development. The code is being refactored, new capabilities are added, and module architectures are being reworked.
We suspect this Trojan is being developed by a team of Android developers in close cooperation with Black SEO specialists specializing in fraud, illegal monetization and traffic generation. The following evidence supports this theory:
- The Trojan is distributed via the VKontakte social network employing social engineering tools;
- A commercial protector is used to conceal the malicious code;
- The scheme includes a complicated procedure of extorting money from the victim while bypassing CAPTCHA.
Also, there are certain features in the code of the analyzed version of Trojan-SMS.AndroidOS.Podec which have not yet been used but which may reveal the malware writer's further plans. For instance, there is an auxiliary function isRooted(), which helps to check whether the device's owner has super-user privileges. This function is not used in the Trojan's main code, so we can assume that a payload designed to exploit super-user privileges may emerge in future versions of the Trojan.
Users of Kaspersky Lab's products are already secured against all existing versions of Trojan-SMS.AndroidOS.Podec. Nonetheless, we recommend that users only install applications sourced from official stores, such as Google Play. The user should always be alert to cybercriminals' tricks and avoid downloading cracked apps advertised as free of charge. If you download and launch a Trojan, you can potentially lose much more money than you may earn from not paying to purchase legitimate software.
With acknowledgements to Mobile TeleSystems OAO, a GSM cell phone operator in Russia, and specifically to its experts in partnership programs traffic.