ANDROIDOS_CAWITT.MRG

This malware poses as an application plugin for social networking sites found on third party app store. It uses the name, Be social! plugin to trick users into installing it. Once installed, it does not launch an icon like apps do. Users can't notice that the malware has been installed on the device.

This malware is also triggered by system events.

Once installed, this malware registers two receivers to automatically start after device boot and to connect to remote C&C server.

The C&C server is published by the remote malicious user via Twitter.

NOTES:

This malware poses as an application plugin for social networking sites found on third party app store. It uses the name, Be social! plugin to trick users into installing it. Once installed, it does not launch an icon like apps do. Users can't notice that the malware has been installed on the device.

This malware is also triggered by system events.

Once installed, this malware also registers two receivers, android.intent.action.BOOT_COMPLETED and android.intent.action.USER_PRESENT to automatically start after device boot and to connect to remote C&C server.

The C&C server is published by the remote malicious user via Twitter. The malicious user registers an account on Twitter and publishes the C&C server domains via it. The malware then connects to the Twitter page to get the newest C&C server address. It then connects to the C&C server to get commands from the remote malicious user.

The infected device sends SMS message without the user’s permission. The target phone number and SMS body is received from the C&C server.