ANDROIDOS_OQX.S

This is the Trend Micro detection for malicious apps that can be used to steal or intercept SMS messages from the affected device.

NOTES:

This malware may be downloaded and install by a user manually.

During installation, this malware registers several broadcast receiver to listen to several system events:

• New package installed, package removed,and system boot completed
• By listening to system boot complete event, this malware is launched every system boot completed.
• After launched this malware downloads a file, stat.jar from http://x{blocked}xx.com/res.

However, this file is not a real .JAR file, but an odex file encrypted by AES. This malware then decodes and executes this file by dynamic.

When the infected device receives a SMS message, this malware calls a function in the odex file named filter.

Below is the screenshot of the call “filter” function in odex.

During our analysis, the “filter” function did nothing except return “False” directly. Since this function is located in a download and dynamic loaded odex file, the behavior can be changed simply by putting another odex file on the server to steal or intercept user SMS.

Below is the screenshot of the “filter” function in odex.

The action after receive “new package added” event and “package removed” event are the same: a function named packageChanged, located in odex file is called.

Below is the screenshot of the call “packageChanged” function in odex.

Below is the screenshot of the “packageChanged” function in odex.