ANDROIDOS_PIRATES.A

This Trojan registers the receivers BootReceiver and AlarmReceiver which are responsible for starting the service called MonitorService. This service communicates with the malicious server and obtains data needed to execute its payload.

It installs a receiver called SMSReceiver which is executed each time a text message is received. It gathers certain information from the affected device. It sends the gathered information via HTTP POST to a certain URL.

It sends a text message containing the IMEI and the device model to a randomly chosen number. It connects to a certain URL to download additional data. The said data will be saved in its database which contains a table called blogconfig with the certain fields.

It sends the stolen SMS data via HTTP POST to a certain URL. It sends text messages from a number and message body obtained from a certain URL. It then connects to another URL. The data returned by the server is composed of URLs and their titles that will be added to the bookmarks of the browser of the affected device.

This Trojan may be downloaded by other malware/grayware/spyware from remote sites. It may be unknowingly downloaded by a user while visiting malicious websites.

Arrival Details

This Trojan may be downloaded by other malware/grayware/spyware from remote sites.

It may be unknowingly downloaded by a user while visiting malicious websites.

This malware arrives via the following means:

• Trojanized Android gaming application named Coin Pirates

NOTES:

It registers the receivers BootReceiver and AlarmReceiver which are responsible for starting the service called MonitorService. This service communicates with the malicious server and obtains data needed to execute its payload.

It installs a receiver called SMSReceiver which is executed each time a text message is received.

It gathers the following information from the affected device:

• Device model
• SDK version
• IMEI
• IMSI

• http://{BLOCKED}id.{BLOCKED}bk.info/AndroidInterface/Reg.aspx

It sends a text message containing the IMEI and the device model to a number chosen randomly from the following:

• 13521419442
• 13552040604
• 13661258744
• 13521273944
• 13552040894
• 13520931794
• 13520234741
• 13520234194

It connects to following URL to download additional data:

• http://{BLOCKED}id.{BLOCKED}bk.info/AndroidInterface/BlogDown.aspx

The said data will be saved in its database which contains a table called blogconfig with the following fields:

• BlogType
• KeyWords
• Charging
• IsConfirm

The field KeyWords contains strings that the malware watches for each time a text message is received. If the string matches, it is either deleted or uploaded to the server android.fzbk.info depending on the value of the IsConfirm field.

It sends the stolen SMS data via HTTP POST to the following URL:

• http://{BLOCKED}id.{BLOCKED}bk.info/AndroidInterface/FreeAction.aspx

It sends text messages from a number and message body obtained from the following URL:

• http://{BLOCKED}id.{BLOCKED}bk.info/AndroidInterface/FreeDown.aspx

It connects to http://{BLOCKEd}id.{BLOCKEd}bk.info/AndroidInterface/FavDown.aspx . The data returned by the server is composed of URLs and their titles that will be added to the bookmarks of the browser of the affected device.