ANDROIDOS_ADDOWN.OPS
Information Stealer, Malicious Downloader
Android OS
Threat Type: Adware
Destructiveness: No
Encrypted:
In the wild: Yes
OVERVIEW
This Adware drops and runs other files on the device. It displays pop-up advertisements.
TECHNICAL DETAILS
Mobile Malware Routine
This Adware is a file that collects the following information on an affected mobile device:
- simcard country
- language
- os version
- device name
- device id
- installed apps
- android id
- email address
It also steals the following information from the affected device:
- manufacturer
- source
- simcard country
- product
- publisher_id
- simcard operator
- service id
- language
- resolution
- model
- os version
- Device name
- Device id
- Installed apps
- Android id
- Email Address
It accesses the following URL(s) to send and receive commands from a remote malicious user:
- https://{BLOCKED}stlet.com/services/v5/
It sends the gathered information via HTTP POST to the following URL(s):
- hxxps://{BLOCKED}stlet[.]com/services/v5/rD
It drops and executes the following file(s):
- malicious dex
It displays pop-up advertisements.
Upon installation, it asks for the following permissions:
- android.permission.ACCESS_NETWORK_STATE
- android.permission.ACCESS_WIFI_STATE
- android.permission.WRITE_EXTERNAL_STORAGE
- android.permission.READ_EXTERNAL_STORAGE
- android.permission.INTERNET
- android.permission.READ_PHONE_STATE
- android.permission.WAKE_LOCK
- android.permission.RECORD_AUDIO
- android.permission.SYSTEM_ALERT_WINDOW
- com.google.android.providers.gsf.permission.READ_GSERVICES
- android.permission.WRITE_SETTINGS
- android.permission.RECEIVE_BOOT_COMPLETED
- android.permission.GET_TASKS
- android.permission.VIBRATE
- android.permission.GET_ACCOUNTS
- android.permission.DISABLE_KEYGUARD
- com.google.android.c2dm.permission.RECEIVE
- com.fourvideo.videoshow.videoslide.permission.C2D_MESSAGE
Based on analysis of the codes, it has the following capabilities:
- hides its aggressive ad behavior by detecting whether the system is running in an emulator
- hides its behavior by scanning the user’s email address to check whether it contains the special strings
- encrypts all constant strings
- It performs net transmission via HTTPS to prevent its traffic from being caught
- It uses a wide array of reflection invoking methods
- It will hide its behavior based on the running environment
It is capable of doing the following:
- download malicious code
- collect sensitive information
- popup adds
- escape from static and dynamic detection
SOLUTION
Trend Micro Mobile Security Solution
Trend Micro Mobile Security Personal Edition protects Android and iOS smartphones and tablets from malicious and Trojanized applications. It blocks access to malicious websites, increase device performance, and protects your mobile data. You may download the Trend Micro Mobile Security apps from the following sites:
Did this description help? Tell us how we did.