Malware and Google's Android OS are two of my favorite things to play with. You would think that when I heard that there was a Trojan in the wild targeting Android devices, I'd be all over it. Indeed, I was. But I was not happy because I just don't like the sound of "malware" and "Android" in the same sentence. I got a copy of the Trojan (MD5: fdb84ff8125b3790011b83cc85adce16) and proceeded to dissect it. Most Android applications are distributed in the form of Android Packages (.apk), and this was no exception. Apk files can be opened with dexdump, a tool provided by Google as part of the Android SDK. On my workstation, it's located under:


Let's run dexdump with the following options on the Trojan "RU.apk" and redirect the output to a file:

./dexdump -d -f -h ~/Desktop/RU.apk > ~/Desktop/out.txt

Going through the output and looking for the "onCreate" method, which is the method used to initialize activity, I found


HelloWorld?! What? Was this written by a n00b who copied the example project HelloWorld? The following was also found:


OK, MoviePlayer is the name of the application. I guess it must be some sort of movie player. This is confirmed by the presence of:

000c: const-string v2, "Нажмите ок для доступа к видеотеке" // string@0076

That is Russian for "Click OK to access the video library" (thanks Google Translate). On "create", the function DataHelper.canwe() is invoked:

00094c: 6e10 1900 0600 000c: invoke-virtual {v6}, Lorg/me/androidapplication1/DataHelper;.canwe:()Z // method@0019

The function checks a SQLite DB for the presence of "was" in table1 (yes, quite an interesting way to see whether the app was run before). If the application had never been run on the device a function call is made to SmsManager.sendTextMessage:

001f: invoke-virtual/range {v0, v1, v2, v3, v4, v5}, Landroid/telephony/SmsManager;.sendTextMessage

This function call is made 3 times with short codes as the destination phone numbers: 3353, 3354 and 3353 again. The content of the each of these short messages is "798657".

So what would have happened had an unsuspecting user installed this application? The victim would have installed what appeared and pretended to be a benign application on his/her Android device. Instead of acting as a movie player the application would have sent 3 SMS messages to those short codes. This Trojan targets Russian speaking users and so the likelihood is that it is mostly going to be installed on handsets in Russia. According to Wikipedia, "the cost of the call or SMS to the short number varies from 1.2 to 300 rubles", which is between USD 0.03 and USD 9.8. The end result is that the victim wouldn't have a movie player on their handset, but would have been scammed out of money instead.

While this is certainly one of the first (or the first) Trojan found in the wild that targets Android, it's quite surprising how news outlets covered this story. The hype made it almost seem like there had never been malware targeting mobile devices before. Just a month ago, there were reports of malware affecting Symbian devices to create a botnet capable of sending SMS messages from compromised devices. Don't forget, Symbian is the top OS for phones based on market share.

In late 2009, a spyware application for BlackBerry OS called PhoneSnoop was making making the headlines. It allowed a third party to listen in on any calls on the compromised phone. Finally, let's not forget about Ikee, the iPhone worm that was "rickrolling" jailbroken devices in Australia.

As for this this Android SMS Trojan, it's been reported that it was not available for download through Google's official directory for applications called the Android Market, and so users who got infected had no business downloading .apk files from other sources. Well, some developers such as Gameloft choose not to publish their app through the Android Market for whatever reason, so you would have get their software from a location other than the Android Market. Then there is the fact that downloading an application from the Android Market does not guarantee that the application will behave exactly the way you expect based on its name and description. In fact, "Google does not intend, and does not undertake, to monitor the Products or their content" per their developer distribution agreement. Furthermore, "if Google is notified by you or otherwise becomes aware and determines in its sole discretion that a Product [...] is deemed by Google to have a virus or is deemed to be malware, spyware or have an adverse impact on Google's or an Authorized Carrier's network [...] Google may remove the Product from the Market". I think that's pretty clear and doesn't require any further explanation. What I get from this is that one should proceed cautiously if installing an application by an unknown developer from the Android Market that has been downloaded by a small number of people.

In comparing two dominant players in the mobile application arena, Google and Apple have very different approaches when it comes to how they've implemented their application stores. One leaves it up to the end users to review and comment on apps, whereas the other wants full control on what app gets approved for their store. Both sides have their share of fanboys and I am not here to determine which one is the best. I do wonder though, if from a security point of view, the best solution doesn't lie somewhere in the middle of these two approaches.

What did all this teach us? Simply that you should be aware that your smartphone is a prime target for attackers. Not only are smartphones more powerful than even the most powerful desktop computers from a few years ago, but they also provide easy access to your address book, your email accounts and social network accounts. With smartphone sales about to surpass worldwide PC sales by the end of 2011, it's not difficult to see how more vulnerabilities will be found and exploited in mobile devices, and how more malware targeting smartphones will be found in the wild. As always, we strongly recommend that you know and trust the wireless hotspot you are connecting your phone to, that you install trusted apps and that you browse trusted websites.