![\"1\"](\"http:\/\/www.android-decompiler.com\/blog\/wp-content\/uploads\/2013\/03\/1.png\")
<\/a><\/p>\nLet’s check the decompiled Java code.<\/p>\n
When the user starts the app, it displays a fake error message, indicating that the server is out-of-service, and terminates. In the meantime, it has registered and started the malicious service com.catchspam.catchservice<\/strong>.<\/p>\n Notice that a preference variable “runYN” is set to “execute” (\uc2e4\ud589.) More on it later.<\/p>\n The malicious service does two things: The BroadcastReceiver com.catchspam.catchsms2<\/strong> processes\u00a0SMS_RECEIVED<\/strong> intents. The last PDU is processed and (supposedly) contains the text message.<\/p>\n In the following screenshot, notice that the author implemented a minimal C&C-like behavior: The intent broadcast is cancelled to prevent other apps (and eventually, the user) from processing the SMS. Finally, the message is POST’ed to the author’s server. The data format is “mobile=<number>&revsms=<textmessage>”.<\/p>\n SMS stealers can be simple annoyance or steal personal data. In this case, it might be used to capture 2-factor authentication codes sent by online banking websites.<\/span><\/p>\n Download the sample here<\/a>.<\/p>\n","protected":false},"excerpt":{"rendered":" Let’s inaugurate this blog by looking at a fairly simple piece of Android malware, an SMS interceptor app whose prime targets are South Korean users. The app impersonates a Starbucks coupon (\uc2a4\ud0c0\ubc85\uc2a4 \ucfe0\ud3f0) app. Let’s check the decompiled Java code. When the user starts the app, it displays a fake error message, indicating that the … Continue reading Korean SMS Interceptor<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[15,3,2],"tags":[],"class_list":["post-8","post","type-post","status-publish","format-standard","hentry","category-android","category-decompilation","category-malware"],"_links":{"self":[{"href":"https:\/\/www.pnfsoftware.com\/blog\/wp-json\/wp\/v2\/posts\/8","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.pnfsoftware.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.pnfsoftware.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.pnfsoftware.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.pnfsoftware.com\/blog\/wp-json\/wp\/v2\/comments?post=8"}],"version-history":[{"count":0,"href":"https:\/\/www.pnfsoftware.com\/blog\/wp-json\/wp\/v2\/posts\/8\/revisions"}],"wp:attachment":[{"href":"https:\/\/www.pnfsoftware.com\/blog\/wp-json\/wp\/v2\/media?parent=8"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.pnfsoftware.com\/blog\/wp-json\/wp\/v2\/categories?post=8"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.pnfsoftware.com\/blog\/wp-json\/wp\/v2\/tags?post=8"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}<\/a><\/p>\n
\n– First, it registers the cellphone number by POST’ing it to hxxp:\/\/it7980.com\/Android_SMS\/installing.php. (If the number is Korean and starts with the prefix +82, it receives “special treatment”.)<\/span>
\n– Then, it registers a BroadcastReceiver meant to process incoming text messages.<\/p>\n<\/a><\/p>\n
\n– If the text reads “execute”, the runYN<\/em> preference variable will also be set to “execute”.
\n– If the text matches the “magic passphrase”, that variable will be set to “pause”. (It roughly translates to: “Back and forth the same versus luck ♥ Lee ♥ ♥ Please call 1588-1588”.<\/em>)
\nLater, runYN<\/em> is checked and the interception procedure will bail if it is not set to “execute”. This allows the author to enable\/disable the interception, either globally or for specific phone numbers.<\/p>\n<\/a><\/p>\n