Analysis by: Veo Zhang
 THREAT SUBTYPE:

Hacking/Cracking Tool

 PLATFORM:

Android OS

 OVERALL RISK RATING:
 DAMAGE POTENTIAL:
 DISTRIBUTION POTENTIAL:
 REPORTED INFECTION:
 SYSTEM IMPACT RATING:
 INFORMATION EXPOSURE:

  • Threat Type: Trojan

  • Destructiveness: No

  • Encrypted:

  • In the wild: Yes

  OVERVIEW

Infection Channel: Downloaded from the Internet

This Trojan arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

  TECHNICAL DETAILS

File Size: 13,968,091 bytes
File Type: APK
Memory Resident: Yes
Initial Samples Received Date: 29 Oct 2014
Payload: Connects to URLs/IPs, Compromises system security

Arrival Details

This Trojan arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

NOTES:

This malware targeted South Korea users. It hides in popular cracked game apps found in the underground forums and torrent websites. The remote bot server went down, causing the malware inactivity.

In October 2014, new variants are found in Chinese underground forums stored in http://appgame.{BLOCKED}3.com/.

This malware runs as a background service com.google.playstore.AppDataService, which starts on launch or device reboot. It logs in to mail services such as AOL, Gmail, GMX, etc. using predefined mail accounts. It gets mail with control code in the mail box.

The code can be decypted into the socket server androidapp.{BLOCKED}y.com:55555 and the HTTP server http://androidapp.{BLOCKED}y.com:50080/php/download.php. The socket server is used for the bot to listen for command, while the HTTP server is used for downloading or uploading data.

The commands it performs can be any of the following:

  • register - register to remote server
  • request_call_log - request call log record
  • request_contact - request contacts list
  • request_file_list - request to list files in device storage
  • request_create_new_dir - request to create new folder in device storage
  • request_file_upload - request to upload files in device storage
  • request_file_download - request to download files into device storage
  • request_item_delete - request to delete files in device storage
  • request_calendar_event - request to upload calendar events
  • request_del_message - request to delete SMS message
  • request_send_message - request to upload SMS message
  • request_send_all_message request to upload all SMS message
  • request_endcontrol - End remote control

  SOLUTION

Minimum Scan Engine: 9.700
TMMS Pattern File: 1.845.00
TMMS Pattern Date: 13 Nov 2014

Step 1

Trend Micro Mobile Security Solution

Trend Micro Mobile Security Personal Edition protects Android smartphones and tablets from malicious and Trojanized applications. The App Scanner is free and detects malicious and Trojanized apps as they are downloaded, while SmartSurfing blocks malicious websites using your device's Android browser.

Download and install the Trend Micro Mobile Security App via Google Play.

Step 2

Scan your computer with your Trend Micro product to delete files detected as ANDROIDOS_KRBOT.HRX. If the detected files have already been cleaned, deleted, or quarantined by your Trend Micro product, no further step is required. You may opt to simply delete the quarantined files. Please check this Knowledge Base page for more information.


Did this description help? Tell us how we did.