Analysis of Smack Remote Control Trojan

Analysis of Smack Remote Control Trojan

The AVL mobile security team recently discovered an Android spyware program developed based on XMPP Smack Openfire. The malware has the following features: 1. Upload the user's contact information, text message, call record, GPS location information, and date based on the commands sent by the remote client; 2. Hide your own icons; 3. Intercept specified text messages.

Smack is an open-source XMPP (jabber) Client Connection Library. It has multiple functions such as sending/receiving messages and monitoring the current status of the client. When the malware uses the Smack technology, it first uses the xmpp server to establish a connection, and then uses the preset user name and password to log on. After the logon is successful, an object is created to communicate with other users, it is mainly transmitted in xml format.

Detailed analysis:

After the program runs, the controlled end will log on automatically first, and the network will be accessed after successful logon. After establishing a network connection with the master, the controlled end performs malicious operations such as stealing privacy according to instructions. Shows the brief process.

After the program starts, it first obtains the account password:

The data is stored in an xml file.

 

Then start the online login operation:

 

You can hide the icon Based on the returned data:

The program performs multiple sensitive operations, including uploading files, uploading text messages, contacts, recording, and location, using remote commands on the master. Shows the related code:

Note: The program first saves the obtained data to a local folder and then uploads the data in a unified manner. Shows the upload URL:

 

The following is the URL obtained from static analysis.