Analysis by: Weichao Sun
 THREAT SUBTYPE:

Malicious Downloader

 PLATFORM:

Android OS

 OVERALL RISK RATING:
 DAMAGE POTENTIAL:
 DISTRIBUTION POTENTIAL:
 REPORTED INFECTION:

  • Threat Type: Trojan

  • Destructiveness: No

  • Encrypted:

  • In the wild: Yes

  OVERVIEW

This malware contains a malicious library file that when executed, turns the infected device into a zombie device. It also hides its routines in the dynamic library, which makes it hard to analyze.

To get a one-glance comprehensive view of the behavior of this Trojan, refer to the Threat Diagram shown below.

This malware connects to certain URLs to listen to its commands.

It displays ads as well as pushes notifications, and terminates certain processes to prevent detection and removal.

This Trojan may be manually installed by a user.

  TECHNICAL DETAILS

File Size: 32,432 bytes
File Type: ELF
Memory Resident: Yes
Initial Samples Received Date: 23 May 2012
Payload: Compromises system security, Terminates processes

Arrival Details

This Trojan may be manually installed by a user.

Backdoor Routine

This Trojan opens the following ports:

  • 8511

Other Details

This Trojan connects to the following possibly malicious URL:

  • {BLOCKED}d.{BLOCKED}ew.com
  • {BLOCKED}d.{BLOCKED}o8.com
  • {BLOCKED}d.my968.com

NOTES:

It may arrive using the following package names and installed as the following applications:

Package Name Application Name After Installation
com.fantasmosoft.new FMR Memory Cleaner
eu.chainfire.newsupersu SuperSU
eu.chainfire.newsupersu 签名点ME
com.iozhu.zyl Move2SD Enabler
eu.chainfire.new Chainfire3D
com.northpark.newsquats Squats
net.szym.barnacle 无线探测器
com.northpark.new Sit Ups
ccn.andflyt.new 程序隐藏器
com.nyzv.shotux Screenshot UX

It connects to the following C&C servers to listen to commands:

  • ad.{BLOCKED}ew.com
  • ad.{BLOCKED}o8.com
  • ad.{BLOCKED}8.com

As of this writing, the said servers are inaccessible.

This malware may display ads or push notifications.

It terminates the following processes:

  • debuggerd
  • vold

This is done to prevent easy detection and removal from the affected device.

  SOLUTION

Minimum Scan Engine: 9.200
TMMS Pattern File: 1.257.00
TMMS Pattern Date: 12 Jun 2012

Step 1

Scan your computer with your Trend Micro product to delete files detected as ANDROIDOS_BOTPANDA.A. If the detected files have already been cleaned, deleted, or quarantined by your Trend Micro product, no further step is required. You may opt to simply delete the quarantined files. Please check this Knowledge Base page for more information.

Step 2

Trend Micro Mobile Security Solution

Trend Micro Mobile Security Personal Edition protects Android smartphones and tablets from malicious and Trojanized applications. The App Scanner is free and detects malicious and Trojanized apps as they are downloaded, while SmartSurfing blocks malicious websites using your device's Android browser.

Download and install the Trend Micro Mobile Security App via Google Play.


Did this description help? Tell us how we did.