ANDROIDOS_MASKSYS.HRX

Also known as Ghost Push, this malware are downloaded by unsuspecting users in third party app stores.

After it roots the device, it steals personal information, installs unwanted apps and ads that automatically runs the on startup. It also installs in the device's ROM and encrypts critical strings to avoid detection and deletion.

This Trojan gathers device information. It downloads malicious files. It drops and runs other files on the device. This is the Trend Micro detection for Android applications that can be used to root Android devices.

Mobile Malware Routine

This Trojan gathers the following device information:

• country
• androidversion
• MAC
• imsi
• imei
• packagename
• language

It downloads the following malicious files:

• downloads unwanted apps and ads

It accesses the following malicious URL(s) to download file(s):

• http://active.{BLOCKED}S7.COM/gmview
• http://api.{BLOCKED}cb.com
• http://api.{BLOCKED}poi.com
• http://api.{BLOCKED}1n.com
• http://api.{BLOCKED}s7.com

It drops and executes the following file(s):

• install-recovery.sh

This is the Trend Micro detection for Android applications that can be used to root Android devices. Rooting enables the user to have elevated rights and permissions to access the Android subsystem.

Upon installation, it asks for the following permissions:

• android.permission.ACCESS_NETWORK_STATE
• android.permission.ACCESS_WIFI_STATE
• android.permission.CHANGE_WIFI_STATEandroid.permission.INTERNET
• android.permission.RECEIVE_USER_PRESENT
• android.permission.WRITE_EXTERNAL_STORAGE
• android.permission.READ_PHONE_STATE
• android.permission.KILL_BACKGROUND_PROCESSES
• com.android.launcher.permission.INSTALL_SHORTCUT
• android.permission.ACCESS_SUPERUSER
• android.permission.INTERNET
• android.permission.READ_PHONE_STATE
• android.permission.ACCESS_WIFI_STATE
• android.permission.ACCESS_NETWORK_STATE
• android.permission.CAMERA
• android.permission.ACCESS_MTK_MMHW
• android.permission.READ_SETTINGS
• android.permission.WRITE_SETTINGS
• android.permission.GET_ACCOUNTS

It is capable of doing the following:

• automatically running the app on startup

NOTES:

Also known as Ghost Push, this malware are downloaded by unsuspecting users in third party app stores.

The shell APK file decodes a DEX file in the assets folder. This file is sometimes named protect.apk. Once done, the app runs the malicious DEX file without showing any icon or notification.

After it roots the device, it steals personal information, installs unwanted apps and ads that automatically runs the on startup. It also installs in the device's ROM and encrypts critical strings to avoid detection and deletion.

Unlike with older variants, this version uses the Process watcher command as a guard code to monitor existing processes in the device and ensure that malicious routines are running. This guard code also helps the malware calculate how much remaining space there is left for installing malicious apps.