As the title states, the Android Titan SMS Trojan utilizes Trojan functionality in order to steal SMS and exfiltrate them off of the target user’s device. It attempts to mask itself as a “SmartCard Service” on installed on the device, but is hardly such. The bulk of Titan is code, using natively, which have method declarations within the Android components:
If we use apktool to disassemble the APK, we will find the shared object we really want to inspect -> libTitaniumCore.so. Titan is quite verbose in nature, so we want to focus on how the Trojan steals and exfiltrates SMS data from the phone.
Here is what we find when enumerating Titan’s Broadcast Receivers:
In : a.get_receivers()
Right away there are some interesting things to note about com.Titanium.Accipite.pipeline. The android.permission.BROADCAST_SMSpermission, allows Titan to broadcast the receipt of an SMS. It also has an Intent Filter meant to receive any Intent communication with the action android.provider.Telephony.SMS_DELIVER, which will give Titan the ability to capture any new inbound SMS data. The android:priority is also a way to make sure this Broadcast Receiver is first inline of the Broadcast Receivers for receiving communication. Investigating com.Titanium.Accipite.pipline we can use the native method declarations:
It appears that nativepipeline() is being called with the Intent object passed to the onReceive() method. If we load up the shared object into the library and do a search for JNI, we can find the method definitions:
The Intent Object is passed to a subroutine, which we will call 'operate_on_intent', and then passed to another subroutine. Here getAction() is called on the Intent Object, in order to retrieve the Intent Action, to make some determinations about the communication.
Now Titan goes through a series of checks against the returned action, and decides what branch to take if the action matches. We are going to analyze the jump taken if the action is android.provider.Telephony.SMS_RECEIVED. After performing some basic validation of the data, and calling getExtras() on the Intent object, Titan branches to a subroutine we will call 'get_pdu'. In 'get_pdu' Titan calls get() in order to retrieve the raw bundle data, and this is what it will subsequently use to create a PDU in a new subroutine.
Now that Titan has the hot ‘n fresh PDU, it will go through the process of adding this data to a new Intent Object, and start the service com.Titanium.Synchronous.adipiscing with said data.
In Part Two, we will look into how the com.Titanium.Synchronous.adipiscing takes are PDU and exfiltrates it off the target device.