![\"dplug1\"](\"https:\/\/www.paloaltonetworks.com\/blog\/wp-content\/uploads\/2013\/09\/dplug1.png\")
<\/span><\/div><\/a><\/p>\nFig 1. An overview of reversed Dplug malware sample.<\/p>\n
Intercept and block incoming SMS messages<\/b><\/p>\n The malware claims the highest priority of receiving intent android.provider.Telephony.SMS_RECEIVED<\/i> so that when an incoming SMS message arrives, the malware will intercept the message before other apps. (Fig 2)<\/p>\n Fig 2. Broadcast receiver com.dplug.ptest.DlwxReceiver claims the highest priority for receiving four types of intents in AndroidManifest.xml file<\/i><\/p>\n The intercepted SMS messages are then examined by the isPinBi()<\/i> function in the file com.dplug.sms.SMSTool.java<\/i>. \u201cPinBi\u201d means \u201cshield\u201d<\/i> in Chinese. In this function, the malware intercepts SMS coming from two numbers, one is 10086 (a hotline number of China Mobile Communication) and the other is 1065889955 (a notorious malicious premium service subscription number widely used by mobile malware in China). These two numbers are hardcoded in the file com.dplug.tools.Constant.java<\/i> (Fig 3).<\/p>\n Fig 3. The hardcoded numbers<\/i><\/p>\n If an incoming SMS message is from either number, the malware will block the message from being inserted into the inbox. The purpose is to block the premium service notices sent from carrier such as the premium service subscription notice, service subscription confirmation notice, and billing notices. The victim will not notice the premium services the attacker subscribed to using their phone\u2019s identity.<\/p>\n The malware will save the intercepted messages in a \u201clog.txt\u201d file. For each message, the malware will log receive time, sender phone number and the message body (Fig 4).<\/p>\n \u00a0 Fig 4.\u00a0 Examples of intercepted SMS messages in the \u201clog.txt\u201d file<\/i><\/p>\n To hide the logs from being detected, the malware creates a hidden folder in the path \u201c\/mnt\/sdcard\/Android\/.system\/.dplug<\/i>\u201d and saves the logs there. The file path for \u201clog.txt\u201d is \u201c\/mnt\/sdcard\/Android\/.system\/.dplug\/log.txt<\/i>\u201d.<\/p>\n Send IMEI and IMSI number of device to remote attacker via SMS<\/b><\/p>\n Dplug collects the IMEI and IMSI numbers from the device. The two numbers are sent via SMS to a designated phone number and then retrieved by contacting the URL http:\/\/www.android-3.com:8008\/getPhoneNo.do?arg=0&m=get<\/a> (Fig 5)<\/p>\n \u00a0 Fig 5. Retrieve the receiver phone number via www.android-3.com:8008<\/i><\/p>\n With the retrieved number the malware will construct a SMS message and sent out in the background (Fig 6).<\/p>\n \u00a0 Fig 6. The SMS message sent with IMEI and IMSI number<\/i><\/p>\n With the IMEI, IMSI and phone number, the attacker will impersonate the phone owner and subscribe to premium services. The attacker profits through those premium services.<\/p>\n Premium service subscription auto-confirmation<\/b><\/p>\n To avoid unnoticed premium service subscription, the carrier will send confirmation SMS messages to the subscriber\u2019s phone. This message usually contains the subscription information and a random confirmation number. The user needs to replay this confirmation number in order to confirm the subscription.<\/p>\n To deal with the confirmation requirement, the Dplug malware first downloads an SMS configuration file from the url http:\/\/117.135.131.19:8008\/sms.do. The configuration file is parsed by the ParseTool.parseSMSConfig()<\/i> function and the parsed information is saved in a SMSCustom<\/i> object. Related source code is shown in (Fig 7).<\/p>\n
\nTechnical Details<\/span><\/b><\/p>\n<\/span><\/div><\/a><\/p>\n<\/span><\/div><\/a><\/p>\n<\/span><\/div><\/a><\/p>\n<\/span><\/div><\/a><\/p>\n<\/span><\/div><\/a><\/p>\n