{"id":37,"date":"2013-03-20T21:31:36","date_gmt":"2013-03-21T05:31:36","guid":{"rendered":"http:\/\/www.android-decompiler.com\/blog\/?p=37"},"modified":"2018-12-19T13:42:54","modified_gmt":"2018-12-19T21:42:54","slug":"japanese-contact-stealer","status":"publish","type":"post","link":"https:\/\/www.pnfsoftware.com\/blog\/japanese-contact-stealer\/","title":{"rendered":"Japanese Contact Stealer"},"content":{"rendered":"

Let’s have a quick look at a variant of Android.Uracto<\/a>, an app that steals (and potentially spams) contacts from Android devices. There is nothing particularly interesting about this piece of malware, but it’s the occasion to demonstrate some of JEB less-known and forthcoming abilities.<\/p>\n

Upon startup, the app displays the following spinner, that translates to “Reading the articles…”:<\/p>\n

\"2\"<\/a><\/p>\n

The onCreate() method for the main activity displays the above spinner, and also starts a new Thread, that will create and run a Progress object. Here it is:<\/p>\n

\"3\"<\/a><\/p>\n

\"4\"<\/a><\/p>\n

The run() method will call postMailList(). This method gets the ContentResolver for the app, and enumerates all entries having the\u00a0“vnd.android.cursor.item\/name”<\/strong> MIME type. According to the\u00a0documentation<\/a>, these entries represent “contacts’ proper names”.<\/p>\n

\"5\"<\/a><\/p>\n

A buffer representing the data1<\/em>, data2<\/em>, and data3<\/em> fields (respectively, Display Name<\/em>, Given Name<\/em>, and Family Name<\/em>) is dynamically created.<\/p>\n

[JEB specific]<\/strong><\/p>\n

<\/strong>Notice the optimizations that allowed the creation of that compact construct:<\/span><\/p>\n