Security Alert: New BeanBot SMS Trojan Discovered
By Xuxian Jiang, Assistant Professor, Department of Computer Science, NC State University
This week, my research team, in collaboration with NQ Mobile,
has discovered a new SMS Trojan in alternative Android markets. This Trojan is
controlled remotely. It will not only transport personally identifiable information
to its Command and Control (C&C) server, but also stealthily send text messages in the background,
resulting in unwanted charges on the user's phone bill. One interesting thing about BeanBot
is that its C&C server falls in the same domain name that has been associated with the
ZeuS malware
in the past, which naturally raises the suspicion about its connection to ZeuS malware.
Our study however does not indicate any such connection.
How It Works
BeanBot is included in multiple repackaged free versions of paid apps, which
are redistributed in third-party marketplaces. Its main behavior is summarized
in the following figure.
Specifically, there are three key steps:
- Infected apps contain a main control service, OperateService. This service
is activated either by a phony "upgrade" screen within the app, or by hooking
certain system events (such as the device booting up or hanging up on a phone
call).
- Once started, BeanBot contacts its C&C server
(http://xxxxx.gicp.net:8083/sp/sync.action), providing it a raft of information,
including the device’s identity number (IMEI), subscriber ID (IMSI) and
phone number.
- After handshaking with the C&C server, the malware retrieves
instructions from a different address on the same server
(http://xxxxx.gicp.net:8081/jserver/sp). These instructions can be to open a
web page, call a phone number, or send a SMS text message to a premium number.
In the last case, once the text message has been sent the SMS inbox is
sanitized, then the C&C server is contacted with the amount earned and the
previously sent personal information.
BeanBot takes certain measures to lower its profile. It is structured as
a set of three services and a receiver, which are contained in a package that is
deceptively named so as to appear as though it is from Google itself.
Furthermore, its C&C server addresses are encrypted. After the decryption,
we found that the domain name has been associated with the
ZeuS
malware in the past, which naturally raises the suspicion about its connection
to ZeuS malware. However, our study does not show any such connection.
BeanBot has been found in repackaged versions of paid apps that use the Android
Application Licensing mechanism, which is designed to deter casual piracy.
The malware rewrites a small portion of the original app's code to wrap a
framework call designed to get information about the app; instead of making this
call directly, new code calls the original framework call but changes certain
fields in the returned object to deceive the licensing code. In this way,
BeanBot can use the original app's code with very minimal modifications.
Mitigation:
Due to the fact that BeanBot can be remotely controlled, we consider it poses serious
threats to mobile users. For mitigation, please follow common-sense guidelines for smartphone security. For example,
- download apps from reputable app stores that you trust; and always check reviews, ratings as well as developer information before downloading;
- check the permissions on apps before you actually install them and make sure you are comfortable with the data they will be accessing;
- be alert for unusual behavior on the part of mobile phones and make sure you have up-to-date security software installed on your phone.
Follow-ups:
- 10/13/2011: This article goes public.
- 10/10/2011: We detected the first BeanBot malware.
Last modified: October 13th, 2011