today I will focus on a JAVA mobile malware (md5 is: 7e92d280472ca426aff1c20fbeb8d2db).
It is spread as jar, containing a class with an attractive name. The jar contains three files:
- a java class (the malware engine);
- an icon image (it is used in order to be attractive..);
- an inf file (it is used to extract sms information).
The following is the class code after the usage of jd. I report only relevant parts:
This method is used to read user-defined strings from the inf file.
This method is used to send the crafted sms.
Focus on inf:
As we can see, the malware uses the inf file to extract information such as: sms number and text. Let’s take a look at this file to understand its format:
Answer: It seems that we have a programming bug or a bad-edited inf file. In fact, the malware will try to send 0x10 (16) sms by using this inf, but it has information only for 8 sms. Maybe this is a mistake of the malware author, or someone else has wrongly edited this file.
I hope you have enjoyed this article… see you soon ;]