Threat Research

Hidden feature in Android spyware

By Axelle Apvrille | November 12, 2010

A few days ago, an application named 'SMS Replicator Secret' was pulled out of the Android market. Like many other spyware of its kind, it silently forwarded incoming SMS messages to a configurable phone number, the official idea being to spy on your girlfriend.

I don't like these types of 'applications' (women solidarity? next time advertise it as spying your boyfriend ;), even if they are meant as jokes, because one day they will end up in the wrong hands and do much more damage than expected. The recent Zitmo malware is a perfect illustration of this: initially written as a parental control application, it ended in the hands of the Zeus gang to spy on your online banking mTANs.

In the case of SMS Replicator Secret, the phone numbers it forwards SMS messages to are configurable in a hidden window. This window pops up as soon as one sends the infected phone an SMS message with a special password as text. The default password is '000.' The password is configurable in that window, too. See our detailed description here.

Android-SMSReplik-SecretSettings Hidden settings window on an infected Android mobile phone

What most people do not know is that there is a backdoor. The hidden window also pops up if you send an SMS with the text 'red4life'. And that password is hard-coded, not configurable. See below the case insensitive SMS text verification in the source code:

if-nez  v7,l130e
move-object/from16  v0,v25
iget-object v0,v0,com/dlp/SMSReplicatorSecret/SMSReceiver.msg
move-object v7,v0
const-string    v8,"red4life"
; equalsIgnoreCase(Ljava/lang/String;)Z
invoke-virtual  {v7,v8},java/lang/String/equalsIgnoreCase
move-result v7

With an Android emulator, this commands pops up the hidden window:

sms send 01234 red4life

My guess is that the author's girlfriend is red-haired ;)

Seriously, it is very lucky SMS Replicator Secret is not remotely configurable, otherwise attackers could have randomly scanned the networks for infected phones and spy their incoming messages...

-- the Crypto Girl

Join the Discussion