ANDROIDOS_BGSERV.A

 Analysis by: Karl Dominguez

 THREAT SUBTYPE:

Information Stealer, Premium Service Abuser, Spying Tool

 PLATFORM:

Android OS

 OVERALL RISK RATING:
 DAMAGE POTENTIAL:
 DISTRIBUTION POTENTIAL:
 REPORTED INFECTION:

  • Threat Type: Backdoor

  • Destructiveness: No

  • Encrypted: No

  • In the wild: Yes

  OVERVIEW


This Android OS backdoor has the increased potential for damage, propagation, or both, that it possesses. Specifically, it is a Trojanized version of the official Android Market Security Tool for Google, which is capable of manipulating SMS and connecting to a remote URL to send and receive information.

To get a one-glance comprehensive view of the behavior of this Backdoor, refer to the Threat Diagram shown below.

This backdoor is capable of gathering device information and monitoring SMS and calls. It may also download other files that could possibly be malicious.

This backdoor may be unknowingly downloaded by a user while visiting malicious websites.

  TECHNICAL DETAILS

File Size:

Varies

File Type:

DEX

Memory Resident:

Yes

Initial Samples Received Date:

10 Mar 2011

Payload:

Steals information, Compromises system security, Downloads files

Arrival Details

This backdoor may be unknowingly downloaded by a user while visiting malicious websites.

Backdoor Routine

This backdoor connects to the following URL(s) to send and receive commands from a remote malicious user:

  • http://www.{BLOCKED}g.com:81/Coop/request3.php

NOTES:

Other Details

Based on the analysis of its code, this backdoor has the following capabilities:

  • Intercepts/monitors sent and received SMS
  • Blocks SMS based on filters set by the remote attacker
  • Sends SMS
  • Intercepts calls
  • Modifies call logs
  • Downloads files
  • Finds internet connections and status
  • Changes network connectivity status
  • Modifies Access Point Name
  • Downloads videos from the following links:
    • http://{BLOCKED}1.{BLOCKED}6.165.53/adapted/choose.jsp?dest=all&chooseUrl=QQQwlQQQrmw1sQQQpp66.jsp
    • http://{BLOCKED}1.{BLOCKED}6.165.53/wl/rmw1s/pp66.jsp
  • Gathers the following information about the infected device:
    • International Mobile Equipment Identity(IMEI)
    • Version
    • SMS center number
    • Phone number
    • Mobile Country Code
    • Mobile Network Code
    • Access Point Name
    • Internet connection status
  • Keeps a log of the following about itself, which are then sent to a remote URL:
    • First run time
    • Install Time
    • Process ID
    • Server
    • Connection time
    • SMS and Call times
    • Video download links
    • Video download time
    • Video download count
    • Intercepted SMS
    • SMS block time
    • SMS block key
    • SMS block port
    • SMS count
    • Download URL

It is a Trojanized version of Google's Android Market Security Tool. The said tool is designed to clean the effects of another Trojanized application, which Trend Micro detects as ANDROIDOS_LOTOOR.A. The said tool is also capable of gathering device information and monitoring SMS and calls. It may also be used by remote attackers to intercept messages from the China Mobile hotline, 10086.

  SOLUTION

Minimum Scan Engine:

8.900

TMMS Pattern File:

1.101.00

TMMS Pattern Date:

24 May 2011

Step 1

Remove malware files dropped/downloaded by ANDROIDOS_BGSERV.A

Step 2

Trend Micro Mobile Security Solution

Trend Micro Mobile Security Personal Edition protects Android smartphones and tablets from malicious and Trojanized applications. The App Scanner is free and detects malicious and Trojanized apps as they are downloaded, while SmartSurfing blocks malicious websites using your device's Android browser.

Download and install the Trend Micro Mobile Security App via Google Play.

Step 3

Remove unwanted apps on your Android mobile device

[ Learn More ]

Did this description help? Tell us how we did.