PhishLabs has recently discovered and analyzed a malicious mobile application that is being actively distributed via a SMiShing (phishing via text message) campaign which attempts to hijack two-factor authentication (one time password) by viewing the victim’s SMS messages.
With the growing trend of conducting business (personal and corporate) via mobile devices, consumers and users of smart phones must be vigilant and cautious across the board - from clicking on links in email or text messages to downloading apps.
The proliferation of mobile
The concept of a personal portable hub for information and communication dates back to 1926 where Nikola Tesla predicted the creation of the smartphone in an interview with John B. Kennedy. Tesla:
"When wireless is perfectly applied the whole earth will be converted into a huge brain, which in fact it is, all things being particles of a real and rhythmic whole. We shall be able to communicate with one another instantly, irrespective of distance. Not only this, but through television and telephony we shall see and hear one another as perfectly as though we were face to face, despite intervening distances of thousands of miles; and the instruments through which we shall be able to do his will be amazingly simple compared with our present telephone. A man will be able to carry one in his vest pocket."
Flash forward to 2015 where mobile devices have become increasingly popular with 64 percent of Americans owning a smartphone. This figure is up significantly from early 2011 when only 35 percent of the population owned a smartphone (Pew Research Center). These devices are taking over the functions that desktop and laptop computers have traditionally performed; as an example, 57 percent of individuals have used their phone to do online banking. As the utilization of mobile platforms for handling sensitive data becomes more common, cyber criminals will begin to target these devices with greater frequency.
Origin of new malicious application
PhishLabs has seen two different versions of a mobile spyware application in the wild, both delivered under the name “iMobile.apk”, which is a name used by multiple banks for their mobile banking applications. The following SHA256 hashes uniquely identify the payloads in question:
The criminals distributing this mobile application used traditional phishing messages to harvest victim’s credentials and other personally identifiable information (PII). The victims were then instructed to download a mobile application via an SMS message sent to their cell phone.
In the photo above, victims were instructed to download a “mobile verification certificate”; PhishLabs speculates that this “verification certificate” was masquerading as an update for a banking service. In both instances, the mobile application was being hosted on a compromised web server. A URL shortening service was used to obscure the target URL and reduce any suspicions. Once the mobile application payload is downloaded, the victim must open the application in order for the infection process to be completed.
As we have not seen any organization or researcher comment on this particular payload, we are inclined to call this nasty little fellow: SMS Reaper. This article “Exec opens mail on 'IT refund', loses 6L to online fraud” appears to fit the exact description of SMS Reaper and it outlines the subsequent consequences of downloading the malicious app. If the malicious app described in the article is indeed SMS Reaper, then we can deduce the spyware authors are initially targeting customers of banks in India.
Launching the application:
After downloading the malicious mobile application, the victim will presumably launch the application where they will be presented with the following splash screen.
Subsequently, the message “Mobile Verification Successful” is presented to the user assuring them that the process of installing the “mobile certificate” happened successfully.
The average user is unlikely to think twice and will proceed to use their phone as if nothing happened. However, the criminals now have some control over the victim’s mobile device.
What is the significance of the application?
You may be wondering why the application is necessary at all since the criminals have already successfully obtained the victims credentials via the phishing attack. A look at the permissions required by this application provides clues to its function:
After a review of the permissions, one can deduce that this application is interested in the user's SMS messages. This particular mobile spyware app monitors the victims SMS inbox (message, sender, and receiver). The user’s messages are then exfiltrated via an HTTP POST Request to the following URL:
Presently, many financial institutions employ multi-factor authentication. This is where mobile spyware comes into play. Once the victim’s financial institution sends a one-time password via text message, the criminals can then intercept this message. All necessary information is now in the miscreant’s hands to bypass two-factor authentication and login into the victims account.
Behind the scenes
When launched, this mobile application runs as a service. A service is an application component that can perform long-running operations in the background and does not utilize a graphical user interface. SMS Reaper hides the notification of receiving an SMS message giving the criminals the potential to exfiltrate multiple “one time passwords” allowing them to make multiple transactions at the victim’s expense.
This code snippet shows how the spyware is monitoring the users SMS inbox. We can see that the spyware is only interested in the content of the message (“body”) and where the message was sent from (“address”).
Further review of the source code, grants us visibility into the hard-coded web address of the server being used for exfiltration.
The formatting and execution of the HTTP post sent by the mobile spyware is shown in the code snippet below:
Capturing the network traffic when the application is first launched, allows us to see firsthand how this mobile spyware is actually communicating with the command and control center. The following screenshot shows the spyware calling back to inform the attackers that another victim has been infected.
Despite the application's questionable permissions and hard-coded command and control server, the application received 0 hits in VirusTotal (https://www.virustotal.com/en/file/61337851d3989943b6125707a6478e4dbc126f88eaa037713d5e283003871b71/analysis/ ).
Although this application was not detected by any anti-virus products, this mobile spyware does not utilize process injection to maintain persistence nor does it attempt to obfuscate its identity in anyway. A user can identify the running service and force the spyware to stop and then uninstall it.
In the future, one can expect mobile malware to become more common as the shift from the traditional computing environment to mobile platforms continues. The complexity of mobile malware will also increase in order to thwart analysis, thereby allowing campaigns to run longer and compromise more victims.
While most consumers are conditioned and educated about the risks of phishing emails that contain malicious links, it is primarily associated with computers. It is equally critical to err on the side of caution before downloading or clicking on any links on a mobile device. Cyber criminals will continue to circumvent technology controls, just as SMS Reaper gets around two-factor authentication. If you discover malicious apps purporting to be your bank or an app that runs in the background to steal information, delete any malicious content that may have been downloaded, notify your financial institution immediately, and reset all passwords that were at risk of compromise.