Android SMS Bot Uses Twitter to Hide C&C Server

An Android SMS bot that uses Twitter and spreads through spam attachments read from Android-running devices was spotted in the wild. With the ability to hide its launcher icon, the SMS bot makes it difficult for users to spot its detection after the installation process is completed.

Its foreground process is named “Be social! plugin” and it activates when it receives intents like android.intent.action.BOOT_COMPLETED or android.intent.action.USER_PRESENT. In other words, when you power up or wake your device, it starts sending device information such as device id, IMEI, and phone number to a command and control server.

The malware uses various Twitter profiles to get a domain name – a common technique used to obfuscate the malicious domain. Afterwards, a post-request at the Twitter-obtained domain name, containing the “carbontetraiodide” string, is sent with all the information about the device. After completion, it waits for other commands to execute.

Here`s a code snippet where the malware gets the domain name:

It stands to reason that all Twitter profiles were created by the malware coders. Randomly reading profiles for domain names is an efficient method of obfuscating the command and control server address.

Here`s a code snipped where the malware communicates with the command and control server:

The Android bot also receives instructions to send SMS messages by accepting parameters like phone number, message content, and the number of times the message is to be sent. This is common practice for voting malware.

The bot also sends information such as “bot id” and a list of “modules”, implying that malware coders want to keep tight records of how many devices they control. Although it doesn`t currently have the ability to intercept or stop SMS broadcasts, the fact that it can send SMS messages without users` consent is troubling enough.

Here`s a code snippet where the malware sends unauthorized SMS messages:

Using Twitter to hide transmission channels is not something we usually encounter in Android malware, thus suggesting an evolution in the way malware coders plan their attacks.

All product and company names mentioned herein are for identification purposes only and are the property of, and may be trademarks of, their respective owners.

This article is based on the technical information provided courtesy of Ioan Lucian STAN, Malware Researcher.