ANDROIDOS_WORMHOLE.HRXA

This malware leverages Moplus SDK to automatically and periodically deploy unwanted applications onto Android devices. Moplus SDK has been found out to include backdoor capabilities.

To get a one-glance comprehensive view of the behavior of this Backdoor, refer to the Threat Diagram shown below.

This backdoor gathers device information. It sends stolen data to certain websites. This is the Trend Micro detection for Android applications bundled with malicious code.

Mobile Malware Routine

This backdoor is a file that collects the following information on an affected mobile device:

• Installed packages
• local files
• APN
• location
• serviceinfo

It gathers the following device information:

• APN
• location
• installed applications
• local files

It posts the following information to its command and control (C&C) server:

• local files
• location
• installed apps
• service information
• app information

It receives commands from the following C&C server(s):

• Any HTTP client

It sends the gathered information via HTTP POST to the following URL(s):

• Any HTTP server

It opens the following port(s):

• 6259
• 40310

It sends the information it gathers to remote sites.

This is the Trend Micro detection for Android applications bundled with malicious code.