Video Screencast Help
Security Response

Android Trojan Spreads Message of Revolution

Created: 19 Dec 2011 18:30:30 GMT • Updated: 23 Jan 2014 18:18:04 GMT • Translations available: 日本語
Irfan Asrar's picture
+3 3 Votes
Login to vote

Hacktisivm, or as one blogger put it “Revolution 2.0”, is something I would describe as an activist agenda where there may be no visible monetary gain by the instigator. Instead the overall goal is to send a message or get a point across. Even though, on occasion, the message may be something many will sympathize with, this doesn’t mean it’s a victimless crime. In many cases, the cost of getting an agenda across may involve using resources (even people without consent).  An example of this emerged over the past weekend. For many across the Arab world, December 18, 2010, marked the birth of what is now come to be commonly known as “The Arab Spring”. Among the many online tools that are being used to coordinate, inform, and get the word out about protests, Symantec has discovered a Trojan mass-mailer/downloader embedded in an Android App.

The Trojan was embedded into a pirated, popular Islamic compass app. Based on our research, the malicious version was only distributed through forums focusing on Middle Eastern issues. The official version of the app, available on the Android Market, is not affected and, as the screenshot indicates, this pirated app contains expanded permissions beyond what is requested from the official one.

After the installation of the app, the code goes to work on device start up, silently working in the background as a service called “alArabiyyah”. It randomly picks one link from a list of eighteen and then sends out an SMS message to every contact in the address book of the compromised device, sending them a link to a forum site. Each forum site has identical content and appears to be a tribute to Mohamed Bouaziz.

Examining the web content, we haven’t ruled out the possibility that the posts on these forums were the result of a SQL injection attack, hence the identical content, but we haven’t been able to confirm this due to the number of people sympathizing with the cause and reposting content from other sites.

There is an added functionality in the code: if the compromised device reports back the country ISO as BH, which is the country code for the Kingdom of Bahrain, an attempt is made to download a PDF file to the SD Card of the device. The PDF file was examined and does not contain any malicious code or exploits. The report itself is a fact-finding inquiry by the Bahrain Independent Commission of Inquiry on allegations of human rights violations.

There has been a lot of discussion regarding the impact of the Internet, social media, and even the availability of cheap cell phones on the uprisings in the Middle East. In a way, this threat is a testament to the rise of Hacktisivm 2.0.

For those using Norton Mobile Security, Symantec detects this threat as Android.Arspam.