ANDROIDOS_PIRATES.A

 Analysis by: Christopher Daniel So

 THREAT SUBTYPE:

Information Stealer, Click Fraud

 PLATFORM:

Android OS

 OVERALL RISK RATING:
 DAMAGE POTENTIAL:
 DISTRIBUTION POTENTIAL:
 REPORTED INFECTION:

  • Threat Type: Trojan

  • Destructiveness: No

  • Encrypted: No

  • In the wild: Yes

  OVERVIEW

This Trojan registers the receivers BootReceiver and AlarmReceiver which are responsible for starting the service called MonitorService. This service communicates with the malicious server and obtains data needed to execute its payload.

It installs a receiver called SMSReceiver which is executed each time a text message is received. It gathers certain information from the affected device. It sends the gathered information via HTTP POST to a certain URL.

It sends a text message containing the IMEI and the device model to a randomly chosen number. It connects to a certain URL to download additional data. The said data will be saved in its database which contains a table called blogconfig with the certain fields.

It sends the stolen SMS data via HTTP POST to a certain URL. It sends text messages from a number and message body obtained from a certain URL. It then connects to another URL. The data returned by the server is composed of URLs and their titles that will be added to the bookmarks of the browser of the affected device.

This Trojan may be downloaded by other malware/grayware/spyware from remote sites. It may be unknowingly downloaded by a user while visiting malicious websites.

  TECHNICAL DETAILS

File Size:

717,136 bytes

File Type:

DEX

Initial Samples Received Date:

04 Aug 2011

Payload:

Connects to URLs/IPs, Sends messages

Arrival Details

This Trojan may be downloaded by other malware/grayware/spyware from remote sites.

It may be unknowingly downloaded by a user while visiting malicious websites.

This malware arrives via the following means:

  • Trojanized Android gaming application named Coin Pirates

NOTES:

It registers the receivers BootReceiver and AlarmReceiver which are responsible for starting the service called MonitorService. This service communicates with the malicious server and obtains data needed to execute its payload.

It installs a receiver called SMSReceiver which is executed each time a text message is received.

It gathers the following information from the affected device:

  • Device model
  • SDK version
  • IMEI
  • IMSI
It sends the gathered information via HTTP POST to the following URL:
  • http://{BLOCKED}id.{BLOCKED}bk.info/AndroidInterface/Reg.aspx

It sends a text message containing the IMEI and the device model to a number chosen randomly from the following:

  • 13521419442
  • 13552040604
  • 13661258744
  • 13521273944
  • 13552040894
  • 13520931794
  • 13520234741
  • 13520234194

It connects to following URL to download additional data:

  • http://{BLOCKED}id.{BLOCKED}bk.info/AndroidInterface/BlogDown.aspx

The said data will be saved in its database which contains a table called blogconfig with the following fields:

  • BlogType
  • KeyWords
  • Charging
  • IsConfirm

The field KeyWords contains strings that the malware watches for each time a text message is received. If the string matches, it is either deleted or uploaded to the server android.fzbk.info depending on the value of the IsConfirm field.

It sends the stolen SMS data via HTTP POST to the following URL:

  • http://{BLOCKED}id.{BLOCKED}bk.info/AndroidInterface/FreeAction.aspx

It sends text messages from a number and message body obtained from the following URL:

  • http://{BLOCKED}id.{BLOCKED}bk.info/AndroidInterface/FreeDown.aspx

It connects to http://{BLOCKEd}id.{BLOCKEd}bk.info/AndroidInterface/FavDown.aspx . The data returned by the server is composed of URLs and their titles that will be added to the bookmarks of the browser of the affected device.

  SOLUTION

Minimum Scan Engine:

8.900

TMMS Pattern File:

1.123.00

TMMS Pattern Date:

08 Aug 2011

Step 1

Trend Micro Mobile Security Solution

Trend Micro Mobile Security Personal Edition protects Android smartphones and tablets from malicious and Trojanized applications. The App Scanner is free and detects malicious and Trojanized apps as they are downloaded, while SmartSurfing blocks malicious websites using your device's Android browser.

Download and install the Trend Micro Mobile Security App via Google Play.

Step 2

Remove unwanted apps on your Android mobile device

[ Learn More ]

Did this description help? Tell us how we did.