Android SMS Bot Uses Twitter to Hide C&C Server
An Android SMS bot that uses Twitter and spreads through spam attachments read from Android-running devices was spotted in the wild. With the ability to hide its launcher icon, the SMS bot makes it difficult for users to spot its detection after the installation process is completed.
Its foreground process is named “Be social! plugin” and it activates when it receives intents like android.intent.action.BOOT_COMPLETED or android.intent.action.USER_PRESENT. In other words, when you power up or wake your device, it starts sending device information such as device id, IMEI, and phone number to a command and control server.
The malware uses various Twitter profiles to get a domain name – a common technique used to obfuscate the malicious domain. Afterwards, a post-request at the Twitter-obtained domain name, containing the “carbontetraiodide” string, is sent with all the information about the device. After completion, it waits for other commands to execute.
Here`s a code snippet where the malware gets the domain name:
It stands to reason that all Twitter profiles were created by the malware coders. Randomly reading profiles for domain names is an efficient method of obfuscating the command and control server address.
Here`s a code snipped where the malware communicates with the command and control server:
The Android bot also receives instructions to send SMS messages by accepting parameters like phone number, message content, and the number of times the message is to be sent. This is common practice for voting malware.
The bot also sends information such as “bot id” and a list of “modules”, implying that malware coders want to keep tight records of how many devices they control. Although it doesn`t currently have the ability to intercept or stop SMS broadcasts, the fact that it can send SMS messages without users` consent is troubling enough.
Here`s a code snippet where the malware sends unauthorized SMS messages:
Using Twitter to hide transmission channels is not something we usually encounter in Android malware, thus suggesting an evolution in the way malware coders plan their attacks.
All product and company names mentioned herein are for identification purposes only and are the property of, and may be trademarks of, their respective owners.
This article is based on the technical information provided courtesy of Ioan Lucian STAN, Malware Researcher.
Watch Out for These Ongoing Bank of America Phishing Campaigns Targeting Customers in the US
July 16, 2021
How to protect yourself against cyberstalking
July 06, 2021
The Top Five Security Risks Smartphone Users Face Today
July 02, 2021
Phishing Alert: Scammers Use Fake SharePoint and DocuSign Messages to Steal Users’ Login Credentials
July 02, 2021
Your Doxxing Dossier Will Keep Growing Thicker Until You See the Danger
June 30, 2021
Mobile security threats: reality or myth?
June 13, 2021
FOLLOW US ON
You might also like
July 23, 2021
July 22, 2021
July 20, 2021