September 12, 2014 at 14:37How to properly explore mobile Trojans at home
From the editorial: Today Roman Unuchek, Kaspersky Lab expert, specialist in mobile threats, is in touch.
This post continues the theme raised by the rootes user in the post “ SMS virus for Android OS or“ Hello :) You have a photo ... ”. I enjoyed reading the comments about how viruses differ from trojans, and how to properly research malware. That's just the right research I want to talk about, as I have been doing this daily for 4 years. Is it right to run malware on a “live” device? Do I need to use a virtual machine? How not to harm yourself and other users during such experiments? At the same time, let's talk about a specific Trojan-Trojan-SMS.AndroidOS.Opfake.a.
But perhaps I’ll start with a topic that was also raised in the original post - how antiviruses treat an already infected device. Our product was not tested, but in vain: the Trojan is quietly detected and deleted by a trial version of our product ( link to Google Play ), both now and at the time of the original study (judging by the screenshots, it was September 3). Pruffik:
Treatment
When you click the Delete button, the user will automatically be transferred to the device administrators management menu, where Device Admin rights for the trojan can be canceled. Then the transition to the malware removal menu in the settings will follow.
As you can see, the process is not fully automated, as it happens on Windows. Our solution sequentially displays the necessary menu items for the user to delete the Trojan and does all the hidden work, but you have to press a couple of buttons: this is the specificity of Android. Will an inexperienced user cope with such a task? Well, this is a good argument for additional smartphone protection by this inexperienced user: if the antivirus was installed in advance, then infection would simply not have happened.
And what kind of Trojan is it and why weren’t all vendors immediately detecting it?
Actually, the AndroidOS.Opfake family of SMS Trojans is one of the oldest in our collection: we registered the first representative of this type 3 years ago, in August 2011. Since then, we have detected over 8000 variants. They all have the same goal: to steal money from the user's account, sending SMS to paid short numbers and hiding this activity. However, options are possible. The first thing that this particular modification of Opfake.a does is connect to the C&C server, and then it will already execute the command it receives from there. This can be spamming on the contact list (the same “Hello”), sending SMS to premium numbers, stealing the contact list. Plus, the Trojan can initiate a call to a specified number, block calls to the owner, intercept incoming SMS, and even install another malicious program.
An interesting point is that this modification of the Trojan still shows the same photo with a cat. Other modifications do not even do this, performing only hidden malicious operations and not showing anything at all.
Now let's talk about why the Trojan was not detected by all, and not immediately. Here is a chart based on information from our product:
The number of program detections from August 29 to September 1, with a two-hour interval, is shown here. As you can see, the main surge of activity occurred on August 31, in total for this day we detected more than 1800 attacks in Russia, Ukraine, Belarus, Kazakhstan and Uzbekistan. But this modification of Opfake appeared on August 29 - on Friday evening. Compared with previous versions of the Trojan, the new one was changed for the sole purpose of circumventing detection methods with anti-virus solutions. In our case, the detection was carried out not by the signature method, but with the help of heuristics - roughly speaking, descriptions of the behavior of the malicious program. With such a heuristic, you can immediately “cover” many modifications of the Trojan, and this method is more resistant to minor changes in the malicious code.
In such a situation, it all depends on how quickly the antivirus company can respond to a new attack. Firstly, you need to somehow catch a new sample, secondly, analyze it (manually or automatically), thirdly, detect and distribute information to customers as quickly as possible in the form of an update for the product. An additional complicating factor was the time of the initial distribution of the Trojan, which was probably specially selected by cybercriminals taking into account the peculiarities of our work. But we did it :)
How to explore
We return to where the post began. We investigate malicious programs with all available tools, and select the right one (be it code analysis, emulation, launching on a real device), depending on the circumstances, well, taking into account considerable experience. What can be recommended to those who decide to analyze such a Trojan at home? The rootes user strategy was generally correct: run the malware on a “clean” device without personal data, with a SIM card installed, but without money in the account. But I would recommend starting with safer methods:
• Launch inside the standard Android emulator. The safest method, which also allows you to learn a lot about the functionality of the Trojan. Some malware, however, track the launch inside the virtual machine and refuse to work. But not all.
• Launch on a real device, without personal data, but without a SIM card and with the Internet turned off. In the case of this Trojan, this would be of little use. There are rare types of mobile threats that refuse to work on the device without a SIM installed, thus hiding their real purpose.
• Launch on a real device, with a SIM card. The lack of money in the account in this case does not give a 100% guarantee, I would recommend additionally connecting the operator to block sending SMS to short numbers.
As I said above, sending paid SMS is not the only option of the Opfake Trojan, so I would not recommend using the third method at home. You have been warned!
Prevention
We have repeatedly said that mobile cybercrime, although it has appeared as a species recently, is developing much faster than its counterpart on conventional PCs. In 2-3 years, Android went through the same stages of development from simple viruses to complex malicious programs as on ordinary PCs. Only at the last it took not a couple of years, but a couple of decades. An “advanced” user doesn’t need to defend himself against such a Trojan - just don’t open the message, don’t click on dubious links and, of course, don’t install suspicious programs.
What to do to less experienced users who choose a smartphone instead of a regular mobile phone more and more? Indeed, if you do not even allow the installation of programs from unofficial sources, such a Trojan as Opfake.a can already be stopped. But this does not give a 100% guarantee, and dozens of cases of detection of openly malicious programs on Google Play are proof of this. And we are not talking about the problems of phishing, about the promotion of dubious software in mobile advertising networks and more. So security software on mobile devices is necessary.
This post continues the theme raised by the rootes user in the post “ SMS virus for Android OS or“ Hello :) You have a photo ... ”. I enjoyed reading the comments about how viruses differ from trojans, and how to properly research malware. That's just the right research I want to talk about, as I have been doing this daily for 4 years. Is it right to run malware on a “live” device? Do I need to use a virtual machine? How not to harm yourself and other users during such experiments? At the same time, let's talk about a specific Trojan-Trojan-SMS.AndroidOS.Opfake.a.
But perhaps I’ll start with a topic that was also raised in the original post - how antiviruses treat an already infected device. Our product was not tested, but in vain: the Trojan is quietly detected and deleted by a trial version of our product ( link to Google Play ), both now and at the time of the original study (judging by the screenshots, it was September 3). Pruffik:
Treatment
When you click the Delete button, the user will automatically be transferred to the device administrators management menu, where Device Admin rights for the trojan can be canceled. Then the transition to the malware removal menu in the settings will follow.
As you can see, the process is not fully automated, as it happens on Windows. Our solution sequentially displays the necessary menu items for the user to delete the Trojan and does all the hidden work, but you have to press a couple of buttons: this is the specificity of Android. Will an inexperienced user cope with such a task? Well, this is a good argument for additional smartphone protection by this inexperienced user: if the antivirus was installed in advance, then infection would simply not have happened.
And what kind of Trojan is it and why weren’t all vendors immediately detecting it?
Actually, the AndroidOS.Opfake family of SMS Trojans is one of the oldest in our collection: we registered the first representative of this type 3 years ago, in August 2011. Since then, we have detected over 8000 variants. They all have the same goal: to steal money from the user's account, sending SMS to paid short numbers and hiding this activity. However, options are possible. The first thing that this particular modification of Opfake.a does is connect to the C&C server, and then it will already execute the command it receives from there. This can be spamming on the contact list (the same “Hello”), sending SMS to premium numbers, stealing the contact list. Plus, the Trojan can initiate a call to a specified number, block calls to the owner, intercept incoming SMS, and even install another malicious program.
An interesting point is that this modification of the Trojan still shows the same photo with a cat. Other modifications do not even do this, performing only hidden malicious operations and not showing anything at all.
Now let's talk about why the Trojan was not detected by all, and not immediately. Here is a chart based on information from our product:
The number of program detections from August 29 to September 1, with a two-hour interval, is shown here. As you can see, the main surge of activity occurred on August 31, in total for this day we detected more than 1800 attacks in Russia, Ukraine, Belarus, Kazakhstan and Uzbekistan. But this modification of Opfake appeared on August 29 - on Friday evening. Compared with previous versions of the Trojan, the new one was changed for the sole purpose of circumventing detection methods with anti-virus solutions. In our case, the detection was carried out not by the signature method, but with the help of heuristics - roughly speaking, descriptions of the behavior of the malicious program. With such a heuristic, you can immediately “cover” many modifications of the Trojan, and this method is more resistant to minor changes in the malicious code.
In such a situation, it all depends on how quickly the antivirus company can respond to a new attack. Firstly, you need to somehow catch a new sample, secondly, analyze it (manually or automatically), thirdly, detect and distribute information to customers as quickly as possible in the form of an update for the product. An additional complicating factor was the time of the initial distribution of the Trojan, which was probably specially selected by cybercriminals taking into account the peculiarities of our work. But we did it :)
How to explore
We return to where the post began. We investigate malicious programs with all available tools, and select the right one (be it code analysis, emulation, launching on a real device), depending on the circumstances, well, taking into account considerable experience. What can be recommended to those who decide to analyze such a Trojan at home? The rootes user strategy was generally correct: run the malware on a “clean” device without personal data, with a SIM card installed, but without money in the account. But I would recommend starting with safer methods:
• Launch inside the standard Android emulator. The safest method, which also allows you to learn a lot about the functionality of the Trojan. Some malware, however, track the launch inside the virtual machine and refuse to work. But not all.
• Launch on a real device, without personal data, but without a SIM card and with the Internet turned off. In the case of this Trojan, this would be of little use. There are rare types of mobile threats that refuse to work on the device without a SIM installed, thus hiding their real purpose.
• Launch on a real device, with a SIM card. The lack of money in the account in this case does not give a 100% guarantee, I would recommend additionally connecting the operator to block sending SMS to short numbers.
As I said above, sending paid SMS is not the only option of the Opfake Trojan, so I would not recommend using the third method at home. You have been warned!
Prevention
We have repeatedly said that mobile cybercrime, although it has appeared as a species recently, is developing much faster than its counterpart on conventional PCs. In 2-3 years, Android went through the same stages of development from simple viruses to complex malicious programs as on ordinary PCs. Only at the last it took not a couple of years, but a couple of decades. An “advanced” user doesn’t need to defend himself against such a Trojan - just don’t open the message, don’t click on dubious links and, of course, don’t install suspicious programs.
What to do to less experienced users who choose a smartphone instead of a regular mobile phone more and more? Indeed, if you do not even allow the installation of programs from unofficial sources, such a Trojan as Opfake.a can already be stopped. But this does not give a 100% guarantee, and dozens of cases of detection of openly malicious programs on Google Play are proof of this. And we are not talking about the problems of phishing, about the promotion of dubious software in mobile advertising networks and more. So security software on mobile devices is necessary.