AndroidMalwareAnalysis

Foncy
Foncy is a sms android malware which targets european countries, with few analysis :

kaspersky
We can analyze it (sample sha256: 98a402d885cdb941dca8b45a4bbcbbe7f44ba62910d519bc1c2161dba117ebd2) with Androguard, and Ded decompiler:


And we can obtain easily where permissions are used:


The sendTextMessage method is called 5 times in the bytecodes. If you would like to have a better view of the sample, you can use androgexf.py to generate a gexf file in order to open it with gephi. In this case, the sample is small and there are few methods calls, and it's more interesting with huge application.


This malware has a specific named "SuiConFo", which is the name of a real application on the android market. And we can check with androsim.py if the writer of the malware has used or not the original code. And in this case, it's a new application:


The first interesting method is onCreate in MagicSMSActivity, and this method does nothing except to get your country code in order to send a premium rate SMS to a specific number (r6), with a specific message (r7):



and finaly send 4 SMS messages:


It's possible to find these premium rate sms on french website:



The other method is onReceive in SMSReceiver, which hides specific number (premium rate number), and send a specific sms message (with the body of the received message) to a french number:



We can found that some end users complain about this specific french number:



Foncy android malware is in our opensource database if you would like to test your apps:

desnos@destiny:~/androguard$ ./androsign.py -d apks/malwares/foncy/ -b signatures/dbandroguard -c signatures/dbconfig
98a402d885cdb941dca8b45a4bbcbbe7f44ba62910d519bc1c2161dba117ebd2 : ----> Foncy
81dd17ea168cf884bfb5aebb7cd2241a5624d1ae14444594bf7677e1080339f9 : ----> Foncy
d9ef940236f285548a60be0d575d7bba4587bdfc3f6c56f38b5da601686344a9 : ----> Foncy
SuiConFo 1.26.apk : ----> None
127sc.apk : ----> None

Source:AndroidMalwareAnalysis|Foncy


Category Article ,

9 Responses to “c0decstuff”

What's on Your Mind...

Thank f' u C0mment