Infection Channel: Via app stores
This malware is a cross-platform threat, affecting both Android and Windows.
To get a one-glance comprehensive view of the behavior of this Trojan, refer to the Threat Diagram shown below.
File size: 330,984 bytes
File type: APK
Memory resident: Yes
Initial samples received date: 16 Jan 2013
Payload: Steals information, Downloads files
NOTES:
This malware presents itself as a system cleaner that helps you clean and speed up your system. After installation, it shows the icon launcher below:
Once the malicious app is launched, the user will see the home screen:
The app presents several different “clean options” for the user to choose, but they actually do nothing except show a process bar.
At the same time, this malware starts up a service, which is really malicious, in background.
This malware registers a location listener to collect and upload user location information through HTTP to the following server:
This malware also receives commands from the following C&C server:
- {BLOCKED}.{BLOCKED}ass.net
The protocol used by malware to communicate with C&C server is a self-defined protocol.
This malware executes several routines such as:
- Send SMS messages
- Delete SMS messages
- Steal contact list
- Track GPS location
- Make phone calls
- Execute shell command
What makes this malware unique is the command usb_autorun_attack. After this command is received, the malware will download three files from the server {BLOCKED}.{BLOCKED}o.org and store them in the SD card.
One of the three downloaded files is a classic auto-run malware on Windows. If the user selects the USB mode on their mobile device and connects it to a Windows PC, this malware (svchosts.exe) will run automatically. On Windows, this auto-run malware is designed to record your voice with the microphone .
Connect with us on
| | | |