With the release of ESET’s Mobile Antivirus, a security solution for smart phones, I started asking myself about mobile threats. While there is not as much malicious software attacking mobile platforms as exists in the desktop world, I was able to find some interesting samples to analyze. The following is an analysis of the WinCE/Brador.A malware.
The first job most malicious programs do upon execution is to insure they will be started every time an infected system boots. To do so, Brador.A copies itself to the \Windows\Startup folder under the name svchost.exe. Under Windows mobile, there is no need to modify the registry to start an application automatically.
The main functionality of the threat Brador.A is to open a backdoor on the mobile device. The attacker is notified by an email when a new device is infected. The backdoor can perform the following tasks:
The orders from the controller are sent over a TCP connection. The first character of the network packet is the order sent from the attacker, for example, ‘f’ denotes find. Even if the code has been compiled for ARM processors, understanding it is relatively easy for anyone with experience in the x86 world:
BL recv ; Calls the recv function
LDRB R0, reception_buffer
LDR R1, =dgrpmf_string
LDRB R2, [R1],#1
CMP R0, R2
LDR R0, =(dgrpmf_string+1)
SUB R1, R1, R0
LDR R3, =call_table ; Call table contains references to the six functions of the backdoor
LDR PC, [R3,R1,LSL#2]; Call the corresponding function from call_table
The samples I have analyzed are all very similar. They seem to have been released in 2004 and don’t use any packing mechanism to hide their behavior or hamper reverse engineering. Furthermore, the code we analyzed does not contain any infection routine. Thus, the only way a mobile device can be infected by this threat is if a user runs the program. To ensure the security of your mobile device, we recommend that you use the same security measures as for a desktop: don’t run unknown programs.
Author Pierre-Marc Bureau, ESET