In April 2016, while investigating a Smishing campaign dubbed RuMMS
that involved the targeting of Android users in Russia, we also
noticed three similar Smishing campaigns reportedly spreading in Denmark
(February 2016), in Italy
(February 2016), and in both Denmark and Italy (April 2016).
Unlike the RuMMS campaign, these three campaigns in Europe used view
overlay techniques (the same technique
we described being used by SlemBunk
malware) to present nearly identical credential input UIs as seen in
benign apps, subsequently tricking unwary users into providing their
Figure 1 shows the process of how these overlay malware spread via
Smishing and infect Android users.
Figure 1. Overview
Threat actors typically first setup the command and control (C2)
servers and malware hosting sites, then put the malware apps on the
hosting sites and send victims SMS messages with an embedded link that
leads to the malware app. After landing on the user’s device, the
malware launches a process to monitor which app is running in the
foreground on the compromised device. When the user launches a benign
app into the foreground that the malware is programmed to target (such
as a banking app), the malware overlays a phishing view on top of the
benign app. The unwary user, assuming that they are using the benign
app, will enter the required account credentials, which are then sent
to remote C2 servers controlled by threat actors.
Through our close monitoring of overlay malware spreading via
Smishing messages, we recently observed that these types of attacks
did not stop despite publicity from security researchers. Instead, our
systematic study revealed some interesting and simultaneously worrying findings:
- From February 2016 to June 2016, we observed 55 malicious
binaries used in a series of Smishing campaigns targeting different
countries in Europe. All the malware samples use the same view
overlay technique to phish banking credentials, and all share the
same C2 communication protocol. Besides the three publicly disclosed
campaigns in Denmark and Italy, we observed the same
threats targeting Germany in March 2016 and Austria
from April 2016 to May 2016. In June 2016, we still see new samples
emerging and being used to target users in Denmark; a few other
European countries could be impacted as well.
- The key
functions of these samples have been the same; however, over time,
we noticed that the samples keep evolving in a few different
directions. For example, later campaigns usually targeted more
benign apps than earlier campaigns, focusing on messaging
apps, for example, as opposed to banking apps. Also, the malicious
apps used in later campaigns are often harder to analyze because
obfuscation techniques were adopted to evade detection. In
addition, some new functionality was added; in particular, we
noticed that more recent samples leveraged reflection to bypass the
SMS writing restriction enforced by the App Ops service (introduced
in Android 4.3). All of this suggests that threat actors are
actively improving their code.
- Unlike the RuMMS
campaign, which mainly used shared hosting services to distribute
the malware, the Europe Smishing campaigns show more
diversity in the associated infrastructure, including the use of
self-registered domains, compromised websites, and URL shortening
services. Since February 2016, we observed that 27 Bit.ly
links have been used. In June 2016, we noticed that another three
URL shorteners, including tr.im, jar.mar and
is.gd, were adopted in the latest campaign. This suggests
that threat actors are trying to diversify the URL shorteners to
- In total, we identified 12 C2
servers hosted in five different countries that were
involved in these campaigns. Among them, the IP address 184.108.40.206
has been used by 24 malicious apps in two campaigns and 220.127.116.11
has been used by eight malicious apps. We also observed that four
C2 servers are within the same 18.104.22.168/24 network segment.
All this suggests that the threat actors have control over
considerable network resources.
- URL shortening
services usually provide link analytics services, which
enables us to collect data on how many users (from which countries)
clicked particular short links and when it happened. Using these
services, we found there have been at least 161,349 clicks on
the 30 short links redirecting to the overlay malware, each of which
can lead to the infection of one Android device. The date
information indicated that most of the clicks occurred in the
first few days after the links were created.
Five Europe Smishing Campaigns
From February 2016 to April 2016, security researchers reported on
three campaigns involving Android overlay malware being distributed
via SMS phishing messages. As described in the reports, those
campaigns started with SMS phishing messages being sent to a user’s
phone. An example SMS message in the latest campaign is shown in
Figure 1. The message roughly translates to, “We could not deliver
your order. Please check your shipping information here
hxxp://bit[.]ly/1ZfcNeV”. Users in Denmark and Italy were reported to
be the primary targets of these three campaigns.
Our recent investigation revealed that these activities keep
developing, with other European countries, including Germany
and Austria, being impacted as well. We group these activities
into five campaigns, as shown in Table 1.
Table 1. Overview of the five Europe Smishing
campaigns ordered in the beginning dates
(*: First publicized by FireEye researchers)
Shortened links were commonly used in the five campaigns. In total,
we identified 30 short links. Some URL shorteners provide analytics,
through which anyone can see how many people clicked the link and the
countries those clicks came from. For example, Figure 2 shows that
there were 135 clicks from Germany on one of the Whats-Germany
samples, and 1,633 clicks from Austria on one of the
Figure 2. Analytics pages on one Whats-Germany
sample and one post-Austria sample
In the aforementioned Smishing campaigns, we observed that the
malware code has been evolving over time. The malware author(s) seems
to be working diligently to improve the code by adding new target
apps, obfuscating the code to evade detection, and trying to bypass
App Ops restrictions.
Adding New Target Apps
All five campaigns attempt to steal credentials from various
targeted apps. When the malicious app is started, a background service
is triggered to periodically monitor the apps running in the
foreground. When the service detects that the foreground app is one of
its targeted apps, it overlays a carefully designed phishing view on
top of the target app.
Analysis of the malware code shows that this task is executed by a
method in the main service, named initInjTask in most cases.
Figure 3 shows the code of initInjTask in one of the earliest
samples of the MPay-Denmark campaign, in which only a localized
app named MobilePay
Figure 3. MobileBank class to be started
to overlay app named “dk.danskebank.mobilepay”
(code extracted from app with a MD5 of 49dac3b35afb2e8d3605c72d0d83f631)
Figure 4 shows the code of initInjTask in one Whats-Italy
sample, in which the target was changed to a more widely used app:
Figure 4. Cards class to be started to
overlay app named “com.whatsapp”
(code extracted from app with a MD5 of 97c2d04aa0f3c3b446fc228c1dbc4837)
Figure 5 shows the code of initInjTask in one
Whats-Germany sample, in which two apps – WhatsApp and the
Google Play Store – were targeted.
Figure 5. Cards class to be started to
overlay apps WhatsApp and Play Store
(code extracted from app with a MD5 of 9e9d9a3717eed4d558a3f5eddb260901)
Figure 6 shows the code of initInjTask in one Post-Austria
sample (in this case, the malicious app was obfuscated; the code
was extracted from the dropped jar file). In total, eight worldwide
popular apps – including Uber and Tencent’s WeChat – were on its radar.
Figure 6. cqkwjqjtoz class to be started
to overlay apps 8 popular apps
(code extracted from app with a MD5 of d70296d3dc4937dedd44f93bb3b74034)
The code examples demonstrate changes in the malware over time.
Early samples targeted single apps (a localized banking app and
WhatsApp) while later samples included a broader range of apps,
suggesting that the threat actors continue to both improve their
malware and broaden their targeting, presumably for greater financial gain.
In earlier campaigns, including MPay-Denmark, Whats-Italy and
Whats-Germany, most of the malicious apps were not obfuscated and
experienced reverse engineers can work readily with the disassembled code.
Figure 7 shows the manifest file and code structures for these
earlier samples. With these two pieces of information, we see that
three receivers are registered for various purposes: to handle
incoming SMS messages; to request device-admin privileges; and to
start the app at booting time and handle two application-specific
events. There are also two services designed to be running in the
background and four activities meant to interact with users. With this
basic information at hand, adept malware analysts can readily figure
out the role played by each part of the code and further understand
how these pieces work together to achieve the malware’s goal.
Figure 7. Code structure and manifest file of
earlier un-obfuscated code
Since April 2016, we observed that all the samples in our dataset
had adopted obfuscation techniques. With the obfuscation, the manifest
file became harder to read and the code structure looked totally different.
Figure 8 presents one sample in the PostDanmark campaign. The
code structure on the left shows that there are five classes named
“a”, “b”, “c”, “d” and “mrtbeig”
with a same package name of “com.atrdectn.ioitsrc”. At the
right side, the manifest file shows there are four receivers, seven
services and four activities declared, with a different package name
of “com.lpygioep.tjzcverotl”. So where is the code of these
declared classes? What are the purposes of these classes named at
left? Here the code is much more complex to analyze.
Figure 8. Code structure and manifest file of
later obfuscated code
Deeper investigation showed that these classes defined on the left
side compose the real payload and overlay the phishing view on top of
the eight popular benign apps. Their code is in fact hidden in the
asset file named mptxip.dat, which was encoded in a special
The classes at the left side are actually unpacking code to decode
the asset file, to load the real payload at runtime, and leverage
reflection to execute the malicious code in the payload. This process
is usually much more complex, and involves a round of static analysis
first to understand what is in the code, then dynamic analysis to
recover the real payload, and then both analyses to understand the
real payload. Antivirus vendors often have difficulty identifying such
threats. As of June 8, 2016, only 6 out of 54 anti-virus tools labeled
these samples as malicious.
Bypassing App Ops Restriction
Android uses app permissions to restrict the set of sensitive
actions a particular app can take. With earlier versions of the
Android operating system, when an app is installed, the user is
prompted to agree to the permissions the app requests. If the user
declines, then the app isn’t installed – it is an all or nothing
situation. App Ops is a service framework introduced in Android 4.3
that allows the permissions of individual apps to be changed at
runtime. With App Ops, users can disallow some permission requests at
runtime. Interestingly, we observed that, starting from the
Whats-Italy campaign, the overlay malware began to adopt some
code to bypass these runtime restrictions.
Figure 10 shows a code snippet in the class MainService,
called by the launcher activity at app start time. It checks whether
the build version of the device is 19 (Android 4.4) and whether the
WRITE_SMS ops are disabled. If both conditions are true, the malware
will call the method setWriteEnabled of class SmsWriteOpUtil
(at line 93) to re-enable the permission of writing SMS.
Figure 9. Code to check and re-enable the
permission of writing SMS
Figure 10 shows the major code of SmsWriteOpUtil to re-enable
the SMS writing permission. At line 60, a handle to the system service
App Ops is fetched. At line 61, reflection is used to get access to
the particular class. At line 64 and 65, the reflection methods
getMethod and invoke are used to call a method named
setMode. These API methods are usually designed for use by
other framework code or pre-installed apps. However, in this case
threat actors use reflection to bypass the App Ops restriction.
Figure 10. Code using reflection to call App Ops
service and to enable writing SMS
To execute Smishing campaigns, threat actors first have to determine
where to host their malware. Shared hosting services were used heavily
in the RuMMS campaign, but the threat actors in these five campaigns
varied it up a bit by using self-registered domains, URL shorteners,
and compromised websites.
In our investigation, we noticed that some of the URL domains were
registered a few days before malware was hosted on the sites. Also, we
found no other services were provided on these domains. These facts
lead us to believe that those sites were registered specifically for
the Smishing campaigns.
To lure victim users to clicks these links, the domain names were
often carefully crafted for a particular campaign. For example, in the
earlier MPay-Denmark campaign, threat actors used the Danish postal
service provider as a theme and the Smishing messages came as: “You
received an MMS from XXX. Follow hxxp://mms4you[.]us/mms.apk to view
the message.” Thus, many of the domains included the words “mms”
and/or “you”, such as mmsforyou.pw, mmsservice.pw and
mmstildig.net (“til dig” is “for you” in Danish).
In the later PostDanmark campaign, the Smishing messages came
as: “Your package is available for pick up. Follow
hxxp://postdanmark[.]org/post.apk to see all the information on your
package:” Thus, many URL domains had the words “post” and/or “danmark”
present, such as postdanmark.net, postdanmark.online,
postdanmark.menu and postdanmarks.com. Note that the
official website for Post Danmark is “www.postdanmark.dk”, so all
these phishing URLs were actually mimicking the official website for
A small screen size makes shortened URLs perfect for mobile devices.
Threat actors seem to understand this, and will leverage it for their
own gain. While monitoring these five Smishing campaigns in Europe, we
observed shortened URLs being used frequently. In total, we observed
four different URL shorteners were used at least once, including
bit.ly, tr.im, is.gd and jar.ma.
Of the four, bit.ly has been the most commonly used URL
shortener. In total, we identified 27 bit.ly links were used
from February 2016 to June 2016. The other three URL shorteners were
not observed until June 2016, and only one was used for each service.
Diversifying URL shorteners suggests that the threat actors are trying
to avoid detection.
It is costly to use self-registered domains to host malware. More
capable threat actors might choose to use compromised websites for the
same purpose. Despite the risk of the victim site detecting the
compromise and removing the malware, this method can be effective: the
compromise is often not noticed until some time later, and the number
of victim clicks is usually highest at the start of a campaign and
decays a few days after the malware goes online.
While monitoring the five Smishing campaigns, we observed
compromised websites were used frequently. For example, the analytics
page for the shortened URL hxxps://bitly[.]com/1qRey7a+ shows
that on April 13, 2016, website kgiexport.com was hosting an Android
app with the file named post.apk.
How Many Clicks?
Two of the four URL shorteners, bit.ly and tr.im,
provide analytics pages for each short URL created. Figure 2 showed
analytics pages provided by bit.ly. Figure 13 shows a screenshot of
the analytics page provided by tr.im. From these pages, we can collect
data on how many people clicked the shortened URL at particular dates,
and also the countries these clicks came from.
Figure 11. Analytics page provided by tr.im
Table 2 shows relevant information on the 28 short URLs we monitored.
Table 2. Click counts on each short URL
In total, the 28 short links were clicked 161,349 times. Of these
clicks, 130,636 were from the PostDanmark campaign, which shows that
phishing messages claiming to be from the post office can be
effective. We also noticed the number of clicks decayed a few days
after these short links were created. For example, there were 96,631
clicks (67.06%) on the first day after short links were created, and
there were 30,749 clicks (21.33%) on the second day after short links
were created. These clicks come primarily from two countries: Denmark
(88.66%) and Austria (5.30%). A handful of other countries might be
impacted as well, including Germany, Luxembourg, Spain, Sweden,
Norway, United Kingdom, Netherlands, Italy, Greece, and Turkey.
All of the malicious apps we analyzed contacted a hard-coded C2
server for sending device relevant information and getting back
instructions. The URL used is in the form of
http://$C2.$SERVER.$IP/?action=command. In total, we found 12 C2
servers hosted in five different countries were involved in these
campaigns. Table 3 shows relevant information for each C2 server used
in these campaigns.
Table 3. C2 Server Relevant Information
In particular, IP address 22.214.171.124 has been used by 24 malicious
apps in the PostDanmark and post-Austria campaigns. IP
address 126.96.36.199 has been used by eight malicious apps in the
PostDanmark campaign. Note that the first four C2 servers are
within the same 188.8.131.52/24 network segment. In total, we found 38
malicious samples contacting these four C2 servers from March 2016 to
Part of Something Bigger?
While monitoring the registration records for these self-registered
domains, we found something interesting: in March 2016, a single email
address (l[REDACTED]email@example.com) registered three domains, including
postdanmark.org, postdanmark.menu and
mmstildig.info, for two of the five campaigns. Using reverse
lookup, we found another four similar domains were also registered by
the same email address in March 2016. Table 4 shows the relevant
information for these domains.
Table 4. Domains registered by the suspected
threat actor (l[REDACTED]firstname.lastname@example.org)
The first three domains were used to host overlay malware for the
MPay-Denmark and PostDanmark campaigns. We found no evidence that the
latter four domains were used for similar campaigns, but the same
registrant email address and the similar naming convention implies
that they may have been created for a similar purpose.
Smishing (SMS phishing) offers a unique vector to infect mobile
users. The latest Smishing campaigns spreading in Europe show that
Smishing is still a popular means for threat actors to distribute
their malware. In addition, threat actors have been using diversified
host schemes and different C2 servers, and have been continuously
refining their malicious code to keep infecting more users and evade detection.
To protect against these threats, FireEye suggests that users not
install apps from outside official app stores, and take caution before
clicking any links where the origin is unclear.
To detect and defend against such attacks, we advise our customers
to deploy our mobile security solution, FireEye MTP/MSM. This helps
our clients gain visibility into threats in their user base, and also
enables them to proactively hunt down devices that have been
compromised. In addition, we advise our customers with NX appliances
to ensure that Wi-Fi traffic is scanned by NX appliances to extend
coverage to include mobile devices.
This is a Security Bloggers Network syndicated blog post authored by Nick Harbour. Read the original post at: Threat Research Blog