ANDROIDOS_FINSPY.D

This Android malware is designed to steal users' SMS, contact list, call log, location information, and other phone informatio. It sends all gathered information to a remote server via an active Internet connection or via SMS.

This Trojan may be manually installed by a user.

Arrival Details

This Trojan may be manually installed by a user.

NOTES:

This Android malware may be downloaded and installed by a user manually. It may also be automatically installed by another malware.

After installation, it does not display any icon on the user's desktop. It also registesr a receiver to receive the system event {android.intent.action.BOOT_COMPLETED}. It does this routine to enable its automatic execution each time the system is started.

This malware starts several services to do the following:

• Intercept and read received SMS
• Connect to remote C&C server
• Monitor SIM card
• Record phone calls
• Read contact list

The recorded information is stored in the following files:

• cLogFile
• smFile
• conFile
• SconFile

The said files can be uploaded or deleted, depending on the command sent from its C&C server tiger.{BLOCKED}national.de.

This Android malware downloads its configuration file from its C&C server. The configuration file can be changed via command SMS message. The message for changing the configuration file is distinguished by the first 32 bits of the message body, which is different from a common SMS message. The fist 32 bits of the SMS is 0x00840470 or 0x00843570.

It also sends messages via SMS or via TCP connection to steal user privacy data. The message it sends are triggered by the following events, which are all registered in the file AndroidManifest.xml:

• Low battery
• Low device space
• Flight mode/Airplane mode enabled
• Change of network
• Change of location
• Outgoing/incoming call detected

The following phone numbers are stored in the configuration file assets/Configurations/84C.dat, where the C&C server information is also stored:

• +{BLOCKED}90978
• +{BLOCKED}57409