Hans
Security
Magazine
Vol I

Grab It Now

Article

COUNT
1744

Are you using Android ? Beware !

Posted On : May 20th 2012 by Abhishek Mahore

OMG!! Recently we came across new Andriod based Trojan named Android.Faketoken that propagates through SMS and Email messages. It targets mobile banking users by posing as a fake token generator application. It implements the man-in-the-middle attack by asking for user’s password during execution and thereafter generating a fake token while sending the user's information to a specific number and remote servers in the background. 


During installation the application requests the following permissions:


  • Send SMS and monitor incoming SMS to record or perform processing on them
  • Read user’s contact data
  • Install or delete packages
  • Write to external storage
  • Open network sockets
  • Read only access to phone state
  • Access information about networks
  • Boot complete information

ANTI HACKING

After successful installation of the application an icon appears on the dashboard and the application registers some receivers which will trigger when a specific system event occurs (for example: BOOT_COMPLETED, USER_PRESENT, PHONE_STATE or SMS_RECEIVED). When the user executes the application, it shows a WebView component that displays an html-page which looks like a Token-Generator and it appears to be from the targeted bank. 


In order to get the fake token (a random number here) the user must enter the first factor of authentication and sends this as an SMS to the author. This in turn starts a background service to send the following information to the remote server:

  • mTAN (Mobile Transaction Number)
  • IMEI (International Mobile Equipment Identity)
  • IMSI (International Mobile Subscriber Identity)
  • Phone Number
  • Phone, Android OS Version

It then opens a back door on the compromised device, allowing an attacker to perform the following actions:


  • Execute arbitrary commands
  • Filter SMS messages based on a predefined string and then send them to the C&C server
  • Delete arbitrary SMS messages
  • Add a new C&C server
  • Send contact lists to the C&C server
  • Download and install arbitrary packages

The snooped information is POSTed to: 


http://icoolshop[DOT]ru/cp/server[DOT]php
http://iconsshopbest[DOT]com/cp/server[DOT]php



Aliases:


TrojanSpy:AndroidOS/FakeToken.A (Microsoft); Android.Faketoken (Symantec); Andr/FkToken-A (Sophos)

 

Removal:


  • Open the Google Android Menu.
  • Go to the Settings icon and select Applications.
  • Next, click Manage.
  • Select the application and click the Uninstall button.

Countermeasures: 

 

  • Download applications from trusted sources, such as reputed application markets.
  • Scan the device with an updated anti-malware solution.
  • Check for unusual behavior: unknown application being installed without user consent, SMS being sent to unknown recipients, automatic phone calls.
  • Check the application's request and ensure the request matches with the features provided.
  • Exercise caution while visiting trusted/untrusted sites foe clicking links.

If you like this post, like us on Facebook too.

 



 

Android hack - Anti Hacking

Powered By: Sevenza SEO