This Trojan registers the receivers BootReceiver and AlarmReceiver which are responsible for starting the service called MonitorService. This service communicates with the malicious server and obtains data needed to execute its payload.
It installs a receiver called SMSReceiver which is executed each time a text message is received. It gathers certain information from the affected device. It sends the gathered information via HTTP POST to a certain URL.
It sends a text message containing the IMEI and the device model to a randomly chosen number. It connects to a certain URL to download additional data. The said data will be saved in its database which contains a table called blogconfig with the certain fields.
It sends the stolen SMS data via HTTP POST to a certain URL. It sends text messages from a number and message body obtained from a certain URL. It then connects to another URL. The data returned by the server is composed of URLs and their titles that will be added to the bookmarks of the browser of the affected device.
This Trojan may be downloaded by other malware/grayware/spyware from remote sites. It may be unknowingly downloaded by a user while visiting malicious websites.
File size: 717,136 bytes
File type: DEX
Initial samples received date: 04 Aug 2011
Payload: Connects to URLs/IPs, Sends messages
Arrival Details
This Trojan may be downloaded by other malware/grayware/spyware from remote sites.
It may be unknowingly downloaded by a user while visiting malicious websites.
This malware arrives via the following means:
- Trojanized Android gaming application named Coin Pirates
NOTES:
It registers the receivers BootReceiver and AlarmReceiver which are responsible for starting the service called MonitorService. This service communicates with the malicious server and obtains data needed to execute its payload.
It installs a receiver called SMSReceiver which is executed each time a text message is received.
It gathers the following information from the affected device:
- Device model
- SDK version
- IMEI
- IMSI
It sends the gathered information via HTTP POST to the following URL:
- http://{BLOCKED}id.{BLOCKED}bk.info/AndroidInterface/Reg.aspx
It sends a text message containing the IMEI and the device model to a number chosen randomly from the following:
- 13521419442
- 13552040604
- 13661258744
- 13521273944
- 13552040894
- 13520931794
- 13520234741
- 13520234194
It connects to following URL to download additional data:
- http://{BLOCKED}id.{BLOCKED}bk.info/AndroidInterface/BlogDown.aspx
The said data will be saved in its database which contains a table called blogconfig with the following fields:
- BlogType
- KeyWords
- Charging
- IsConfirm
The field KeyWords contains strings that the malware watches for each time a text message is received. If the string matches, it is either deleted or uploaded to the server android.fzbk.info depending on the value of the IsConfirm field.
It sends the stolen SMS data via HTTP POST to the following URL:
- http://{BLOCKED}id.{BLOCKED}bk.info/AndroidInterface/FreeAction.aspx
It sends text messages from a number and message body obtained from the following URL:
- http://{BLOCKED}id.{BLOCKED}bk.info/AndroidInterface/FreeDown.aspx
It connects to http://{BLOCKEd}id.{BLOCKEd}bk.info/AndroidInterface/FavDown.aspx . The data returned by the server is composed of URLs and their titles that will be added to the bookmarks of the browser of the affected device.
Connect with us on
| | | |