![\"0\"](\"http:\/\/www.android-decompiler.com\/blog\/wp-content\/uploads\/2013\/04\/0.jpg\")
<\/a><\/p>\nHere’s a short summary:<\/p>\n
- \n
- Masquerades as a German certificate installer app. The fake login\/pin is used to uniquely identify the phone (on top of the phone number and IMEI.)<\/span><\/li>\n
- Achieves SMS interception, most likely to break 2-factor authentication. There are 3 modes of operation: do nothing, intercept and proceed, intercept and cancel SMS broadcast.<\/span><\/li>\n
- Multiple command-and-control servers. Two hard-coded domains are\u00a0hxxp:\/\/app-smartsystem.(com|net)\/sms\/d_m009.php<\/span><\/li>\n
- The C&C urls can be updated, either by contacting the existing the existing C&C, or via SMS sent by the master. Such SMS contain the string “&Sign28tepXXX”.<\/span><\/li>\n
- The communication with the C&C is encrypted using AES-ECB, with the static key “0523850789a8cfed”. The server also base64-encodes its payloads. (The client does not.)<\/span><\/li>\n
- The malware will try to start at boot time (BOOT_COMPLETED receiver), and also registers a 15-minute timer to query the server for updated C&C urls.<\/span><\/li>\n<\/ul>\n
<\/p>\n
![\"1\"](\"http:\/\/www.android-decompiler.com\/blog\/wp-content\/uploads\/2013\/04\/1.jpg\")
<\/a><\/p>\nThe APK was run through a name obfuscator. I’m attaching the sources decompiled using JEB 1.1<\/a>, and with most of the refactoring\/renaming\/commenting work done. For JEB users, here is the JDB file<\/a>. Enjoy.<\/p>\n
Sample MD5: 1cf41bdc0fdd409774eb755031a6f49d<\/p>\n","protected":false},"excerpt":{"rendered":"
The implementation of this Android malware is strong and clean. Nothing really innovative though. Here’s a short summary: Masquerades as a German certificate installer app. The fake login\/pin is used to uniquely identify the phone (on top of the phone number and IMEI.) Achieves SMS interception, most likely to break 2-factor authentication. There are 3 … Continue reading SMS Spy ZertSecurity with decompiled, analyzed Java sources<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[15,3,2],"tags":[],"class_list":["post-127","post","type-post","status-publish","format-standard","hentry","category-android","category-decompilation","category-malware"],"_links":{"self":[{"href":"https:\/\/www.pnfsoftware.com\/blog\/wp-json\/wp\/v2\/posts\/127","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.pnfsoftware.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.pnfsoftware.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.pnfsoftware.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.pnfsoftware.com\/blog\/wp-json\/wp\/v2\/comments?post=127"}],"version-history":[{"count":0,"href":"https:\/\/www.pnfsoftware.com\/blog\/wp-json\/wp\/v2\/posts\/127\/revisions"}],"wp:attachment":[{"href":"https:\/\/www.pnfsoftware.com\/blog\/wp-json\/wp\/v2\/media?parent=127"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.pnfsoftware.com\/blog\/wp-json\/wp\/v2\/categories?post=127"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.pnfsoftware.com\/blog\/wp-json\/wp\/v2\/tags?post=127"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}
- Achieves SMS interception, most likely to break 2-factor authentication. There are 3 modes of operation: do nothing, intercept and proceed, intercept and cancel SMS broadcast.<\/span><\/li>\n