A long time ago, I posted a video showing how to control Zitmo (the mobile component of ZeuS). It turns out you can (nearly) do exactly the same with Emmental. If you are not aware of Operation Emmental, please jump to this excellent white paper.
So, basically, this operation aims at compromising bank accounts, in particular (but not limited to) Swiss banks - where the naming Emmental comes from. Like ZeuS and Zitmo, or SpyEye and Spitmo, Emmental compromises the victim's PC and installs a trojan spyware on the Android phone. The scenario is well devised: the Android application looks like a secure SMS application that the bank would ask you to install.
The malware intercepts incoming SMS messages, and forwards them via SMS to a phone number controlled by the attackers or via HTTP to a remote C&C. But, we can 0wn Emmental and redirect SMS to our debug devices/URLs. This is how to do it.
The malware responds to SMS commands, that's how we control it. The body of the SMS must be formatted as: sCode sCommand optional-parameters
The command SETP sets the phone number to send SMS to. CLEARP erases the current value. The command SETB sets the URL to send information to. CLEARB erases the current value. The command CLEAR erases both phone number and URL. The command DEL uninstalls the malware :)
So, let's say for in-depth reverse engineering of the malware you want to redirect messages to 12345 and my.website.org.
Figure 1. SMS message sent by the malware in response to changing the attacker's phone number. The field "DA" indicates whether the malware has been set as the Default [SMS] Application or not. The field "I" is the phone's IMEI.
Figure 2. SMS message sent by the malware in response to changing the C&C URLs.
The malware's shared preferences get updated accordingly: intercepted or status SMS are sent to 12345, and HTTP messages are sent to the new C&C URL.
Don't forget to end by disinfecting your test phone by sending: 664398 DEL :)
-- the Crypto Girl