Home > Malware > AndroidMalwareAnalysis

AndroidMalwareAnalysis

Posted on 5 Desember 2011 by c0decstuff

Foncy
Foncy is a sms android malware which targets european countries, with few analysis :

kaspersky
We can analyze it (sample sha256: 98a402d885cdb941dca8b45a4bbcbbe7f44ba62910d519bc1c2161dba117ebd2) with Androguard, and Ded decompiler:

And we can obtain easily where permissions are used:

The sendTextMessage method is called 5 times in the bytecodes. If you would like to have a better view of the sample, you can use androgexf.py to generate a gexf file in order to open it with gephi. In this case, the sample is small and there are few methods calls, and it's more interesting with huge application.

This malware has a specific named "SuiConFo", which is the name of a real application on the android market. And we can check with androsim.py if the writer of the malware has used or not the original code. And in this case, it's a new application:

The first interesting method is onCreate in MagicSMSActivity, and this method does nothing except to get your country code in order to send a premium rate SMS to a specific number (r6), with a specific message (r7):

and finaly send 4 SMS messages:

It's possible to find these premium rate sms on french website:

The other method is onReceive in SMSReceiver, which hides specific number (premium rate number), and send a specific sms message (with the body of the received message) to a french number: