In the past we have seen many targeted attacks on platforms line windows and Mac OS X. Now the cyber criminals who are making a targeted attack are using Android Malware. Generally in an email attachment we have seen that there is an infected doc, docx, xls, pdf file. But not there is an apk file (apk file is the extension of all Android apps)
March 24th, 2013, the e-mail account of a high-profile Tibetan activist was hacked and used to send spear phishing e-mails to their contact list. This is what the spear phishing e-mail looked like:
The malicious APK is 334326 bytes file, MD5: 0b8806b38b52bebfe39ff585639e2ea2 and is detected by Kaspersky Lab products as “Backdoor.AndroidOS.Chuli.a”.
After you launch the Android app you will see.
The full text reads follows. Notice notice the use of the mistaken “Word” instead of “World”:
“On behalf of all at the Word Uyghur Congress (WUC), the Unrepresented Nations and Peoples Organization (UNPO) and the Society for Threatened Peoples (STP), Human Rights in China: Implications for East Turkestan, Tibet and Southern Mongolia
In what was an unprecedented coming-together of leading Uyghur, Mongolian, Tibetan and Chinese activists, as well as other leading international experts, we were greatly humbled by the great enthusiasm, contribution and desire from all in attendance to make this occasion something meaningful, the outcome of which produced some concrete, action-orientated solutions to our shared grievances. We are especially delighted about the platform and programme of work established in the declaration of the conference, upon which we sincerely hope will be built a strong and resolute working relationship on our shared goals for the future. With this in mind,we thoroughly look forward to working with you on these matters.
Chairman of the Executive Committee
Word Uyghur Congress”
While the victim reads the message the malware collects the following informations:
- Contacts (stored both on the phone and the SIM card).
- Call logs.
- SMS messages.
- Phone data (phone number, OS version, phone model, SDK version).
The data does not gets automatically uploaded to C&C server. The Trojan waits for incoming SMS messages (the “alarmReceiver.class”) and checks whether these messages contain one of the following commands: “sms”, “contact”, “location”, “other”. If one these commands is found, then the malware will encode the stolen data with Base64 and upload it to the command and control server. The C2 URL is:
The remote C&C server is running a Windows Server 2003
It looks like the attacker speaks Chinese as the Windows Server is running in Chinese language.