ANDROIDOS_WROBA.A

This Backdoor drops and runs other files on the device. It uses common file icons to trick a user into thinking that the files are legitimate.

Mobile Malware Routine

This Backdoor is a file that collects the following information on an affected mobile device:

• Phone number
• Device ID
• SDK version
• Manufacturer
• Bluetooth name
• Time and date when app was first installed
• Presence of Softbank/Docomo/Au app

It accesses the following URL(s) to send and receive commands from a remote malicious user:

• {BLOCKED}e-xp.{BLOCKED}y.cc

It accesses the following website(s) to send and receive information:

• {BLOCKED}e-xp.{BLOCKED}y.cc

It drops and executes the following file(s):

• drop fake bank apps

It displays the following:

• Spoofed webpage of the official banking app detected

Upon installation, it asks for the following permissions:

• android.permission.INTERNET
• android.permission.RECEIVE_BOOT_COMPLETED
• android.permission.READ_PHONE_STATE
• android.permission.ACCESS_NETWORK_STATE
• android.permission.ACCESS_WIFI_STATE
• android.permission.READ_SMS
• android.permission.BOOT_COMPLETED
• android.permission.WRITE_EXTERNAL_STORAGE
• android.permission.WRITE_EXTERNAL_STORAGE
• android.permission.MOUNT_UNMOUNT_FILESYSTEMS
• android.permission.MODIFY_AUDIO_SETTINGS
• android.permission.SYSTEM_ALERT_WINDOW
• android.permission.RECEIVE_SMS
• android.permission.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS
• android.permission.READ_CONTACTS
• android.permission.CHANGE_WIFI_STATE
• android.permission.READ_EXTERNAL_STORAGE

It uses common file icons to trick a user into thinking that the files are legitimate.

It is capable of doing the following:

• Lock screen and reset the password as 778877
• Apply for device admin privilege
• Parse contact information and upload
• Get indicated SMS & MMS messages and upload
• Uninstall detected legitimate banking app and replaced with malicious, fake app
• Control mute and ringing settings
• Delete files
• Hide icon