FireeyeFireEye labs recently found a new variant of Android.MisoSMS, Android malware that steals users’ personal SMS contents.

The previous discovery of Android.MisoSMS was known to perform exfiltration of confidential information from infected users to the command and control server. All incoming SMS messages were intercepted and sent to the CnC server using email.

Both variants have in common to use the same names for receivers and services, but while the old variant masquerades as a “settings” application, the new variant presents itself as “Gplay Dsc” to the user and now implements all command and control mechanisms natively in C++, making it harder for an analyst to perform analysis by looking at ARM disassembly.

The newer variant also hard codes specific public DNS servers such as the following:

1. resolver1.opendns.com

2. nscache.prserv.com

3. resolver1.qwest.net

4. resolver2.opendns.com

5. google-public-dns-b.google.com

6. google-public-dns-a.google.com

7. mx1.oray.net.cn

8. 183.136.132.176

9. 183.136.132.170

It then attempts to resolve its CnC domain name (puk.nespigt.iego.net) from one of the above listed DNS servers, that allow it to stay quiet in sandbox environments where access to public networks is restricted and internal DNS servers are used. If the above-mentioned DNS servers are not accessible, the malware stays dormant in the device

The new malware variant uses a variant of the XTEA encryption algorithm to communicate with its CnC server. Besides, the request and responses of the CnC server are structured in such a way that the first four bytes of the request and response contain the length of the encrypted blob of data.

Skipping the first four bytes allows FireEye to decrypt the communications by using the key embedded in the native binary.

Figure:-New infection registration

Fireeye

The figure shows the registration of a newly infected device to the CnC server. The first four bytes in the encrypted payload mark the length of the message. The rest of the payload contains the information about the infected device.

It is interesting to see the growth of sophistication with Android.MisoSMS, The changes to this variant show that there is increasing interest in the contents of targeted user’s private SMS messages for an attacker. Of course, FireEye Mobile Threat Prevention customers are secured from this threat. For more detailed information, please go to FireEye’s blog.

By MediaBUZZ