Threat Research

How to send an SMS - the geeky way

By Axelle Apvrille | June 07, 2010

Want to impress friends with eccentric ways to send SMS messages? This article is for you. As a matter of fact - and closer to the official goal - this article can also help analysts spot unexpected SMS sending in malware.

SMS for Java-kiddies

Sending SMS from a Java ME midlet is simple enough for any kid :) Import the MessageConnection and TextMessage package:

import javax.wireless.messaging.MessageConnection;
import javax.wireless.messaging.TextMessage;

Instantiate a MessageConnection object and a TextMessage object of type TEXT_MESSAGE. The SMS number is specified as a string formatted as "sms://xxxx":

MessageConnection messageconnection = (MessageConnection) String("sms://1234");
TextMessage textmessage = (TextMessage)messageconnection.newMessage(MessageConnection.TEXT_MESSAGE);

Then, set the payload of the SMS:


Finally, send the message:


For the Java source to compile, one should probably not forget to surround the code with the typical try/catch instructions to catch potential exceptions. This simple, but efficient code, is used by many Java malware such as Java/Swapi.N. If the midlet is unsigned, the mobile phone displays a warning telling the end-user an SMS is about to be sent.

Sending SMS with Python

... is not much more difficult, but of course requires you have a Python interpreter on your mobile phone. Basically, the idea is similar to the Java code. First import the appropriate packages:

import messaging

Then call the static method sms_send with the phone number as first argument and the text as second argument:

messaging.sms_send('3649',u'FILES 545')

Surround the line with a try/except statement to catch unexpected errors. This is used by SymbOS/Flocker.AB!tr.python.

Send SMS with m

I already mentioned this language in a previous post. As far as I know, it is still quite unknown, but nevertheless efficient. You'll need to install the m Runtime Environment on your mobile phone to get the few lines below to work (but that's not difficult).

Then, the code is quite straight forward once more, with an import of the necessary package:

use sms

and sending the SMS with first argument as phone number and second as text of SMS.

sms.send("0123","blabl 0000");

This is used by SymbOS/Enoriv.A!tr.dial.

Sending SMS via the Symbian API

If you haven't impressed your friends yet and insist on doing it a hard way, the Symbian API also enables programs to send SMS. Basically, one connects to a 'RSendAs' server, then creates a message (message type to be set to KUidMsgTypeSMS for SMS), set a recipient to send the message to, set the SMS text, and finally send and close the connection to the RSendAs server. The Cleanup functions (CleanupClosePushL, CleanupStack::Pop etc) are special Symbian functions to free objects correctly when an exception occurs or a function leaves with an error.

The assembly code below shows it is done in SymbOS/Yxes.E!worm.

.text:7C8C87E4                 BL      _ZN7RSendAs7ConnectEv    ; RSendAs::Connect(void)
.text:7C8C87E8                 BL      _ZN4User12LeaveIfErrorEi ; User::LeaveIfError(int) - leave if Connect fails
.text:7C8C87EC                 SUB     R0, R11, #0x24           ; R0 contains a RSendAs object
.text:7C8C87F0                 BL      Yxes_cleanuppush         ; calls CleanupClosePushL on RSendAs object
.text:7C8C87F4                 SUB     R0, R11, #0x34
.text:7C8C87F8                 BL      sub_7C8C8E4C             ; not relevant for understanding
.text:7C8C87FC                 SUB     R0, R11, #0x34
.text:7C8C8800                 SUB     R2, R11, #0x24
.text:7C8C8804                 LDR     R3, =dword_7C8D33EC      ; address contains 0x1000102c = KUidMsgTypeSMS
.text:7C8C8808                 LDR     R3, [R3]
.text:7C8C880C                 MOV     R1, R2                   ; R1 contains a RSendAs object
.text:7C8C8810                 MOV     R2, R3                   ; message type
.text:7C8C8814                 BL      _ZN14RSendAsMessage7CreateLER7RSendAs4TUid ; 
RSendAsMessage::CreateL(RSendAs &,TUid)
.text:7C8C8818                 SUB     R0, R11, #0x34
.text:7C8C881C                 BL      Yxes_cleanuppush_1       ; <span style="font-family: Courier New;">calls CleanupClosePushL on RSendAsMessage object</span>
.text:7C8C8820                 SUB     R0, R11, #0x34           ; <span style="font-family: Courier New;">R0 contains a RSendAsMessage object</span>
.text:7C8C8824                 LDR     R1, [R11,#phonenumber]   ; phone number of recipient
.text:7C8C8828                 MOV     R2, #0                   ; ESendAsRecipientTo
.text:7C8C882C                 BL      _ZN14RSendAsMessage13AddRecipientLERK7TDesC16NS_20TSendAsRecipientTypeE ;
RSendAsMessage::AddRecipientL(TDesC16  const&,RSendAsMessage::TSendAsRecipientType)
.text:7C8C8830                 SUB     R0, R11, #0x34           ; R0 contains a RSendAsMessage object
.text:7C8C8834                 LDR     R1, [R11,#smstext]       ; text of the SMS to send
.text:7C8C8838                 BL      _ZN14RSendAsMessage12SetBodyTextLERK7TDesC16 ; 
RSendAsMessage::SetBodyTextL(TDesC16  const&)
.text:7C8C883C                 SUB     R0, R11, #0x34
.text:7C8C8840                 BL      _ZN14RSendAsMessage20SendMessageAndCloseLEv ; 

That's it, folks!

-- The Crypto Girl

Join the Discussion