- Home
- Techniques
- Mobile
- SMS Control
SMS Control
Adversaries may delete, alter, or send SMS messages without user authorization. This could be used to hide C2 SMS messages, spread malware, or various external effects.
This can be accomplished by requesting the RECEIVE_SMS or SEND_SMS permissions depending on what the malware is attempting to do. If the app is set as the default SMS handler on the device, the SMS_DELIVER broadcast intent can be registered, which allows the app to write to the SMS content provider. The content provider directly modifies the messaging database on the device, which could allow malicious applications with this ability to insert, modify, or delete arbitrary messages on the device.[1][2]
Procedure Examples
| Name | Description |
|---|---|
| Anubis | |
| Cerberus | |
| Corona Updates |
Corona Updates can send SMS messages.[5] |
| Dendroid | |
| Desert Scorpion |
Desert Scorpion can send SMS messages.[7] |
| FakeSpy | |
| Ginp | |
| Mandrake |
Mandrake can block, forward, hide, and send SMS messages.[10] |
| Rotexy |
Rotexy can automatically reply to SMS messages, and optionally delete them.[11] |
| Stealth Mango |
Stealth Mango deletes incoming SMS messages from specified numbers, including those that contain particular strings.[12] |
| TrickMo | |
| WolfRAT |
Mitigations
| Mitigation | Description |
|---|---|
| Application Vetting |
Application vetting services could provide further scrutiny to applications that request SMS-based permissions. |
| User Guidance |
Users should be encouraged to be very careful with what applications they grant SMS access to. Further, users should not change their default SMS handler to applications they do not recognize.[1] |
Detection
Users can view the default SMS handler in system settings.
References
- S.Main, D. Braun. (2013, October 14). Getting Your SMS Apps Ready for KitKat. Retrieved September 11, 2020.
- Google. (n.d.). SmsProvider.java. Retrieved September 11, 2020.
- M. Feller. (2020, February 5). Infostealer, Keylogger, and Ransomware in One: Anubis Targets More than 250 Android Applications. Retrieved April 8, 2020.
- Threat Fabric. (2019, August). Cerberus - A new banking Trojan from the underworld. Retrieved June 26, 2020.
- T. Bao, J. Lu. (2020, April 14). Coronavirus Update App Leads to Project Spy Android and iOS Spyware. Retrieved April 24, 2020.
- Marc Rogers. (2014, March 6). Dendroid malware can take over your camera, record audio, and sneak into Google Play. Retrieved December 22, 2016.
- A. Blaich, M. Flossman. (2018, April 16). Lookout finds new surveillanceware in Google Play with ties to known threat actor targeting the Middle East. Retrieved September 11, 2020.
- O. Almkias. (2020, July 1). FakeSpy Masquerades as Postal Service Apps Around the World. Retrieved September 15, 2020.
- ThreatFabric. (2019, November). Ginp - A malware patchwork borrowing from Anubis. Retrieved April 8, 2020.
- R. Gevers, M. Tivadar, R. Bleotu, A. M. Barbatei, et al.. (2020, May 14). Uprooting Mandrake: The Story of an Advanced Android Spyware Framework That Went Undetected for 4 Years. Retrieved July 15, 2020.
- T. Shishkova, L. Pikman. (2018, November 22). The Rotexy mobile Trojan – banker and ransomware. Retrieved September 23, 2019.
- Lookout. (n.d.). Stealth Mango & Tangelo. Retrieved September 27, 2018.
- P. Asinovsky. (2020, March 24). TrickBot Pushing a 2FA Bypass App to Bank Customers in Germany. Retrieved April 24, 2020.
- W. Mercer, P. Rascagneres, V. Ventura. (2020, May 19). The wolf is back... . Retrieved July 20, 2020.