Security Alert: New BeanBot SMS Trojan Discovered

By Xuxian Jiang, Associate Professor, Department of Computer Science, NC State University
This week, my research team, in collaboration with NQ Mobile, has discovered a new SMS Trojan in alternative Android markets. This Trojan is controlled remotely. It will not only transport personally identifiable information to its Command and Control (C&C) server, but also stealthily send text messages in the background, resulting in unwanted charges on the user's phone bill. One interesting thing about BeanBot is that its C&C server falls in the same domain name that has been associated with the ZeuS malware in the past, which naturally raises the suspicion about its connection to ZeuS malware. Our study however does not indicate any such connection.

How It Works

BeanBot is included in multiple repackaged free versions of paid apps, which are redistributed in third-party marketplaces. Its main behavior is summarized in the following figure.


Specifically, there are three key steps:
  1. Infected apps contain a main control service, OperateService. This service is activated either by a phony "upgrade" screen within the app, or by hooking certain system events (such as the device booting up or hanging up on a phone call).
  2. Once started, BeanBot contacts its C&C server (http://xxxxx.gicp.net:8083/sp/sync.action), providing it a raft of information, including the device’s identity number (IMEI), subscriber ID (IMSI) and phone number.
  3. After handshaking with the C&C server, the malware retrieves instructions from a different address on the same server (http://xxxxx.gicp.net:8081/jserver/sp). These instructions can be to open a web page, call a phone number, or send a SMS text message to a premium number. In the last case, once the text message has been sent the SMS inbox is sanitized, then the C&C server is contacted with the amount earned and the previously sent personal information.

BeanBot takes certain measures to lower its profile. It is structured as a set of three services and a receiver, which are contained in a package that is deceptively named so as to appear as though it is from Google itself. Furthermore, its C&C server addresses are encrypted. After the decryption, we found that the domain name has been associated with the ZeuS malware in the past, which naturally raises the suspicion about its connection to ZeuS malware. However, our study does not show any such connection.

BeanBot has been found in repackaged versions of paid apps that use the Android Application Licensing mechanism, which is designed to deter casual piracy. The malware rewrites a small portion of the original app's code to wrap a framework call designed to get information about the app; instead of making this call directly, new code calls the original framework call but changes certain fields in the returned object to deceive the licensing code. In this way, BeanBot can use the original app's code with very minimal modifications.

Mitigation:

Due to the fact that BeanBot can be remotely controlled, we consider it poses serious threats to mobile users. For mitigation, please follow common-sense guidelines for smartphone security. For example,

Follow-ups:

Last modified: October 13th, 2011