Chapter 5:
Mobile Malware
• android.permission.SEND_SMS • android.permission.RECEIVE_SMS • android.permission.INTERNET • android.permission.WRITE_EXTERNAL_STORAGE • android.permission.INSTALL_PACKAGES • android.permission.DELETE_PACKAGES • android.permission.READ_CONTACTS • android.permission.RECEIVE_BOOT_COMPLETED The INSTALL_PACKAGES and DELETE_PACKAGES permissions are both “signatureOrSystem” permissions, which means that only applications installed on the system partition or applications signed with the firmware’s signing key can successfully request these permissions. Therefore, the FakeToken malware will thankfully not be granted these dangerous permissions that allow for silently installing and uninstalling software. The malware authors were likely confused about Android’s permission model. Some malware have successfully requested this permission, such as the jSMSHider malware, which exploited the fact that some custom ROMs are signed with a publicly known private key in order to gain elevated privileges by reusing the known private key to sign jSMSHider.
Figure 5-9 FakeToken appears as the TokenGenerator application using Santander’s logo.
135