Rob Rachwald

Subscribe to Rob Rachwald: eMailAlertsEmail Alerts
Get Rob Rachwald: homepageHomepage mobileMobile rssRSS facebookFacebook twitterTwitter linkedinLinkedIn


Top Stories by Rob Rachwald

In the Part 2 we demonstrated how to decompile the Trojan's .dex file - the compiled Android application code file. In Part 3, we show how the Trojan intercepts the messages and sends them to the drop point. In particular, we take a deep dive into these three decompiled classes: The Activation Class: Responsible for the UI window The ServerSession Class: Responsible for sending the intercepted text messages to the drop box. The Main Class: Runs the application where the Trojan intercepts the incoming text messages. Classes Overview Activation Class The Activity class takes care of creating a window in which you can place the UI. The class contains several interesting methods: 1. onCreate(paramBundle) - the activity gets initialized. 2. setContentView() - defines the UI with a layout resource. 3. findViewById() - Retrieves a widget in the UI. As the following screen... (more)

Mobile Malware: Decompiling the Application

This four-part series presents an under the hood analysis of Android malware. This malicious mobile application is distributed via the Android's application shop market. What does it do? The application captures incoming SMS messages before any other system application. It then posts their contents to a drop server. Due to this interception behavior, security researchers have been calling it ZitMo - Zeus in the Mobile. But is this in fact the mobile equivalent of the notorious banking Trojan, ZeuS? As the analysis will show, we cannot guarantee the validity of the ZitMo claim du... (more)

Ring Ring: Mobile Malware Calling

In the past, we've discussed the rise of mobile malware. More recently, Imperva's ADC has analyzed mobile malware and our findings support the observation that we'll see more Android malware than those targeted at Apple for two reasons: Technically, it is easier to write malware for Android. Currently, better channels exist to distribute for Android malware. Google has bought Motorola (for the best market perspective on the acquisition, read Fabrizio's take). Consolidation aside, mobile malware is on the rise. For instance, Juniper's malicious Mobile Threat Threats Report found ... (more)

Mobile Malware: Emulating a Dynamic Infection

Check out Part 1 and Part 2. In Part 3, we showed the code that intercepts the SMS messages and sends them to the drop point. As we have previously mentioned, the malware is distributed through the Android's application market. It remains to address the following question: What does an infection look like from the point of view of the victim? Dynamic Infection Rather than installing the Trojan on an Android, we had decided to install it on an Android SDK on an Ubuntu machine. Following are some screenshots that emulate what the victim sees on their handset. 1: An Android virtual ... (more)