NEWS FROM THE LAB - Thursday, December 29, 2011

New Year's Wishes - with Side Order of Data Harvesting Posted by ThreatSolutions @ 10:12 GMT

It's almost the end of 2011. What with Christmas recently passed, and the New Year coming up, there's naturally a lot of well wishes and holiday greetings being messaged around. Looks like somebody's decided to join in (a little late) — and also do a bit of data harvesting at the same time.

Spyware:Android/AdBoo.A appears to be one of those programs that lets you send witty/sweet/funny messages to your contacts. On execution, it displays a list of text messages that fall into different categories: new year wishes, friendship, love and jokes:

AdBoo text

When the user selects one of these messages, the app prompts a dialog box asking for the next action: Contact, Edit or Cancel:

AdBoo message

If Contact is chosen, the app tries to read the stored contact data. Presumably, it needs to know to whom to send the message:

AdBoo choices

During our initial analysis, because the test phone didn't have any stored contacts, the app didn't retrieve anything at this point.

However, when AdBoo was retested with (bogus) contacts present, no text message was sent then either — AdBoo only produces a dialog box with the message "Sending fail":

AdBoo sending fail

We noticed that the app did do something else though. On selecting the Contacts options, it silently obtained the following information from the device:

1) Phone Model
2) Android Version
3) Phone number
4) International Mobile Equipment Identity (IMEI) number

The harvested details are then forwarded to remote server.

Incidentally, looking at the certificate for this variant of AdBoo, it appears to be from the same developer as Zsone.A:


AdBoo SHA1


Zsone SHA1

Threat Solutions post by — Irene