How does SmsBot work?
SmsBot was designed to be implemented as a bot(hence the Bot in SmsBot) that can execute commands received from the attacker and then steal money from the user by compromising their bank accounts via bank apps.
When installed, the malware will delete its app icon from the infected device's Home Screen. It will retrieve the infected device's IMEI, Model name, current system language, IMSI, Mobile Number, Mobile network operator name, OS version, data on availability of Viber, Trojan's version and Unique Trojan's ID generated for the infected device. All retrieved information will be sent to its command and control server, which in turn, will ask the malware to check the infected device for known bank apps such as Alfa-Bank or Sberbank of Russia. The server will also command the malware to check the user's balances of relevant bank accounts, QIWI wallet and user's mobile account.
Here is the list of commands from the remote server:
- send a list of all SMS messages to the server
- send a list of installed apps to the server
- send a predefined SMS message to a specific number
- enable or disable SMS intercepts
- send a USSD query
- send a list of contacts to the server
- set a new command and control server address
- send a message to a specific number via Viber
The Trojan sends the execution reports to the command and control server through POST requests. It also hides and forwards all intercepted SMS messages from the user via POST request.
SmsBot hides certain SMS messages by first, disabling all sound alerts. While the sound alert is off, the malware will delete the incoming message from the memory. After 3 seconds, the malware will re-enable the sound alerts.
Article Ref: http://vms.drweb.com/virus/?i=7548647
No comments:
Post a Comment