Hackers' Dream Contest

Report: Mobile Challenge

0. About

Author: Tsukasa Ooi

Date: 2010/11/23

1. Find suspicious IP

192.168.0.108

2. What kind of information is being leaked out?

The device's unique ID and phone number.

3. Verbose Analysis

I used following tools:

First of all, I tried apk2jar and jd-gui to acquire Java source code. Because of wrong analysis, some Java code was corrupted. Even though, I can guess these three variables in MainAct class are used to construct valid URL.

public String a = "http://";
public String b = ".";
public String c = "192-168-0-108";

That was right. After some string operations, URL prefix this malicious code use is appear:

http://192.168.0.108/Ahnlab/SystemInfo=

Also, I found Tetris_Chk method to construct string from the data to be leaked. In this method, I found these two methods are used.

But if device ID and/or phone number cannot be acquired (null), this malcious code does not send any actual information except URL prefix. (Even though, there are some possibilities to track the user.)

Android has a mechanism of permission. If the application does not have enough permission, the privileged call will generate SecurityException. So I have to check correct permission is set. I used axml2xml.pl to extract text XML manifest from APK file. Then I found these two permissions are enabled.

Bingo! The malcious code works as follows: