Analysis of some Mobile Malware

With the release of ESET's Mobile Antivirus, a security solution for smart phones, I started asking myself about mobile threats. While there is not as much malicious software attacking mobile platforms as exists in the desktop world, I was able to find some interesting samples to analyze. The following is an analysis of the WinCE/Brador.A malware.

The first job most malicious programs do upon execution is to insure they will be started every time an infected system boots. To do so, Brador.A copies itself to the \Windows\Startup folder under the name svchost.exe. Under Windows mobile, there is no need to modify the registry to start an application automatically.

The main functionality of the threat Brador.A is to open a backdoor on the mobile device. The attacker is notified by an email when a new device is infected. The backdoor can perform the following tasks:

• Find a file on the local drive
• Read a file from disk and send it to the attacker
• Execute an executable from disk
• Display a message box saying “Hi” using the MessageBoxW API.
• Close backdoor connection

The orders from the controller are sent over a TCP connection. The first character of the network packet is the order sent from the attacker, for example, 'f' denotes find. Even if the code has been compiled for ARM processors, understanding it is relatively easy for anyone with experience in the x86 world:

BL      recv ; Calls the recv function
LDRB    R0, reception_buffer
LDR     R1, =dgrpmf_string

cmp_string:
LDRB    R2, [R1],#1
CMP     R0, R2
BNE     cmp_string
LDR     R0, =(dgrpmf_string+1)
SUB     R1, R1, R0
LDR     R3, =call_table ; Call table contains references to the six functions of the backdoor
LDR     PC, [R3,R1,LSL#2]; Call the corresponding function from call_table

The samples I have analyzed are all very similar. They seem to have been released in 2004 and don't use any packing mechanism to hide their behavior or hamper reverse engineering. Furthermore, the code we analyzed does not contain any infection routine. Thus, the only way a mobile device can be infected by this threat is if a user runs the program. To ensure the security of your mobile device, we recommend that you use the same security measures as for a desktop: don't run unknown programs.

Pierre-Marc Bureau
Malware Researcher