BeanBot analysis report

By Lu Gong(iceboy@iceboy.org) and Mingyuan Xia (mingyuan.xia@mail.mcgill.ca)

BeanBot is a typical malware that is controlled by a remote C&C server and has the capability to leak personal data, perform self-upgrade, download other malware payloads and essentially anything instructed by the remote server. BeanBot is first discovered by NQ Security along with Prof. Xuxian Jiang from NCSU. They provided an analysis report, highlight some basic functionalities of this malware. Later on, eight samples from this family is included in the Android Malware Genome Project.

While our team uses AppAudit to analyze the BeanBot family, we notice an interesting behaviour that would be useful to other malware detectors. We leverage dex2jar and d4j to analyze this sample and manually transform the logic of the key function OperatorService.a():

This snippet shows that BeanBot will try to obtain the "SMS center number". If this value is not previously in the SharedPrefernce, it will start the SMS service to probe it. The SMS server should return its SMS center number once receiving the malware's request. Here BeanBot uses an infinite loop to scan the number every two seconds. BeanBot uses a SMS listener to hijack this message and obtain the number, as shown below.