ANSERVER

ANSERVER is the first known Android malware that reads blog posts and interprets these as commands. It can download and install additional applications, thus further compromising the infected device.

It uses a third-party app store as its avenue for distribution as embedded in an e-book reader application. It also sends sensitive information from the affected device to its C&C server.

NOTES:

This malware connects to a remote server to download other malicious payloads to the device and installs these without the user's consent.

Once the app is installed, the malicious code can be run in several ways:

• Access network settings
• Access the Internet
• Control the vibrator
• Disable Keylock
• Make a Call
• Read low-level log files
• Read, and write contacts
• Restart applications
• Wake the device
• Write, read, receive, and send SMS

When any of the actions above occur, the service is starting in the background.

It gathers the following device information:

• Build version
• IMEI
• IMSI
• Manufacturer
• Model
• OS version
• Package name of legitimate application
• SDK version

The service then sends sensitive information to its C&C server and retrieves an XML configuration file:

• http://bolog.{BLOCKED}ditem.cn/s/blog_log.html
• http://b4.{BLOCKED}r.co.cc:8080/jk.action={information}

The configuration file contains settings of the malware, the package name to be downloaded, and download URL.

It makes use of blog post, which contains encrypted messages that the malware interprets as its commands. It can also download other malicious applications from the said blog post.