ANDROIDOS_ADDOWN.OPS

June 21, 2017
 Analysis by: Jordan Pan
 THREAT SUBTYPE:

Information Stealer, Malicious Downloader

 PLATFORM:

Android OS

 OVERALL RISK RATING:
 DAMAGE POTENTIAL:
 DISTRIBUTION POTENTIAL:
 REPORTED INFECTION:
 INFORMATION EXPOSURE:

  • Threat Type: Adware

  • Destructiveness: No

  • Encrypted:

  • In the wild: Yes

  OVERVIEW

This Adware drops and runs other files on the device. It displays pop-up advertisements.

  TECHNICAL DETAILS

File Size:

19780782 bytes

Memory Resident:

Yes

Initial Samples Received Date:

21 Apr 2017

Mobile Malware Routine

This Adware is a file that collects the following information on an affected mobile device:

  • simcard country
  • language
  • os version
  • device name
  • device id
  • installed apps
  • android id
  • email address

It also steals the following information from the affected device:

  • manufacturer
  • source
  • simcard country
  • product
  • publisher_id
  • simcard operator
  • service id
  • language
  • resolution
  • model
  • os version
  • Device name
  • Device id
  • Installed apps
  • Android id
  • Email Address

It accesses the following URL(s) to send and receive commands from a remote malicious user:

  • https://{BLOCKED}stlet.com/services/v5/

It sends the gathered information via HTTP POST to the following URL(s):

  • hxxps://{BLOCKED}stlet[.]com/services/v5/rD

It drops and executes the following file(s):

  • malicious dex

It displays pop-up advertisements.

Upon installation, it asks for the following permissions:

  • android.permission.ACCESS_NETWORK_STATE
  • android.permission.ACCESS_WIFI_STATE
  • android.permission.WRITE_EXTERNAL_STORAGE
  • android.permission.READ_EXTERNAL_STORAGE
  • android.permission.INTERNET
  • android.permission.READ_PHONE_STATE
  • android.permission.WAKE_LOCK
  • android.permission.RECORD_AUDIO
  • android.permission.SYSTEM_ALERT_WINDOW
  • com.google.android.providers.gsf.permission.READ_GSERVICES
  • android.permission.WRITE_SETTINGS
  • android.permission.RECEIVE_BOOT_COMPLETED
  • android.permission.GET_TASKS
  • android.permission.VIBRATE
  • android.permission.GET_ACCOUNTS
  • android.permission.DISABLE_KEYGUARD
  • com.google.android.c2dm.permission.RECEIVE
  • com.fourvideo.videoshow.videoslide.permission.C2D_MESSAGE

Based on analysis of the codes, it has the following capabilities:

  • hides its aggressive ad behavior by detecting whether the system is running in an emulator
  • hides its behavior by scanning the user’s email address to check whether it contains the special strings
  • encrypts all constant strings
  • It performs net transmission via HTTPS to prevent its traffic from being caught
  • It uses a wide array of reflection invoking methods
  • It will hide its behavior based on the running environment

It is capable of doing the following:

  • download malicious code
  • collect sensitive information
  • popup adds
  • escape from static and dynamic detection

  SOLUTION

Minimum Scan Engine:

9.850

Trend Micro Mobile Security Solution

Trend Micro Mobile Security Personal Edition protects Android and iOS smartphones and tablets from malicious and Trojanized applications. It blocks access to malicious websites, increase device performance, and protects your mobile data. You may download the Trend Micro Mobile Security apps from the following sites:


Did this description help? Tell us how we did.