ANDROIDOS_ANSERV.AA

 Analysis by: Peter Yan

 THREAT SUBTYPE:

Information Stealer, Malicious Downloader

 PLATFORM:

Android

 OVERALL RISK RATING:
 DAMAGE POTENTIAL:
 DISTRIBUTION POTENTIAL:
 REPORTED INFECTION:

  • Threat Type: Trojan

  • Destructiveness: No

  • Encrypted: No

  • In the wild: Yes


  TECHNICAL DETAILS

File Type:

APK

Memory Resident:

No

Initial Samples Received Date:

09 Jul 2012

Payload:

Connects to URLs/IPs

NOTES:
This malware connects to a remote server to download other malicious payloads to the device and installs them without the user's consent.

Once the app is installed, the malicious code can be run in several ways:

  • Connectivity change
  • Power connected
  • USB mass storage connected/disconnected
  • SMS received
  • Input method changed
  • Boot completed
  • When the user unlocks the phone

When any of the actions above occurs, the service is started in the background.

The service then send sensitive infomation to its C&C server http://bolog.{BLOCKED}ditem.cn/s/blog_log.html.

The response from the C&C server contains some URLs, and the client downloads and installs apps from these URLs.

It then deletes some received SMS from China Mobile, the message body contains:

尊敬的用户,由于未经您的授权,本次请求未成功,如需使用,请致电10086进行开通,中国移动

  SOLUTION

Minimum Scan Engine:

9.300

Remove unwanted apps on your Android mobile device

[ Learn More ]

Did this description help? Tell us how we did.