Infection Channel: Via app stores
This Android malware arrives as a fan-made application that tricks users into thinking that it is the same as the original. It displays advertisements upon installation.
To get a one-glance comprehensive view of the behavior of this Trojan, refer to the Threat Diagram shown below.
This malware arrives as a Trojanized Android application. Upon execution, it creates shortcuts pointing to ads sites on the device's home page. It does this by downloading details about its intended ads on certain sites.
This Trojan may be manually installed by a user.
File size: Varies
File type: APK
Initial samples received date: 20 Feb 2012
Payload: Displays ads
Arrival Details
This Trojan may be manually installed by a user.
NOTES:
This malware arrives as a Trojanized Android application.
Upon execution, it creates shortcuts pointing to ads sites on the device's home page. It does this by downloading details about its intended ads on the following sites:
- www.{BLOCKED}dsettings.com
- ad.{BLOCKED}boltapps.net
Below is an example of the created shortcuts:
Aside from home page shortcuts, it also displays advertisements via notifications:
It then reports infection by uploading information to the following C&C server:
- http://api.{BLOCKED}push.com/v2/api.php
Sent information includes the following:
- IMEI
- Carrier
- Network operator
- Phone model
- API Key
- App Id
- Token
- Infection timestamp
- Package name and version
- Wifi information
- User agent
- Android ID
After executing its payload, it then displays the following fake notification to the user:
Connect with us on
| | | |