- Category: Gadget Featured
- Published on Sunday, 23 January 2011 19:18
- Written by Dinesh Venkatesan
First Trojan for Android
The ever-changing threat landscape has witnessed its first Trojan for the Android platform. On the 5th of this August, we received a Trojan that claimed to be a movie “codec” for Android devices. The fellow researchers at Kaspersky Lab discovered this threat in the wild.
The binary file is in Dalvik Executable format (.dex). Dalvik is the virtual machine on Android mobile devices. It runs applications which have been converted into a compact Dalvik Executable (.dex) format suitable for systems that are constrained in terms of memory and processor speed.
On further reversing, this piece of malware was found to follow few interesting traditional malware “customs”. The malware creators seem to have paid attention to the numerous Java decompilers available to the reversers. With this in mind, they have tried to obfuscate the code to protect it from giving up the plain code during decompilation [Figure 1].
Fig.1: The anti-decompilation measures in effect
However, for an interpreted byte code platform (such as Java), no obfuscation is enough to curb reversing. With few adjustments we land into the malicious payload [Figure 2].
Fig.2: The decompiled code
The code is as readable as a plain text. The attack is followed by the age old social engineering trick of sending a text message to supposedly premium cost numbers such as “3353” and “798657”.Here is the snapshot of the installation of this piece in a restricted emulator [Figure 3].
Fig.3: Installation of the decompiled piece in the emulator
It is obvious that the cyber criminals have decided to take on the Android platform considering the huge potential of its increasing customer base. As always, we recommend practicing common sense while installing any untrusted application and keep your security software up to date. We detect this trojan as "AndroidOS/FakePlayer.A" and constantly monitoring the trend.
blog comments powered by Disqus