Author: Tsukasa Ooi
Date: 2010/11/23
192.168.0.108
The device's unique ID and phone number.
I used following tools:
First of all, I tried apk2jar and jd-gui to acquire Java source code. Because of wrong analysis, some Java code was corrupted. Even though, I can guess these three variables in MainAct class are used to construct valid URL.
public String a = "http://";
public String b = ".";
public String c = "192-168-0-108";
That was right. After some string operations, URL prefix this malicious code use is appear:
http://192.168.0.108/Ahnlab/SystemInfo=
Also, I found Tetris_Chk method to construct string from the data to be leaked. In this method, I found these two methods are used.
But if device ID and/or phone number cannot be acquired (null), this malcious code does not send any actual information except URL prefix. (Even though, there are some possibilities to track the user.)
Android has a mechanism of permission. If the application does not have enough permission, the privileged call will generate SecurityException. So I have to check correct permission is set. I used axml2xml.pl to extract text XML manifest from APK file. Then I found these two permissions are enabled.
Bingo! The malcious code works as follows: