Analysis by: Erika Bianca Mendoza
 THREAT SUBTYPE:

Information Stealer

 PLATFORM:

Android OS

 OVERALL RISK RATING:
 DAMAGE POTENTIAL:
 DISTRIBUTION POTENTIAL:
 REPORTED INFECTION:

  • Threat Type: Spyware

  • Destructiveness: No

  • Encrypted: No

  • In the wild: Yes

  OVERVIEW

This Android spyware records phone calls and answer calls automatically.

To get a one-glance comprehensive view of the behavior of this Spyware, refer to the Threat Diagram shown below.

This Android spyware automatically executes upon boot-up and runs certain services that monitor SMS, calls, and location.

When executed, it does several routines such as gathering the GPS location, recording calls made in the infected phone, and stealing messages in the inbox and outbox.

It sends the information it gathers to a remote site using port 2018.

This spyware may be unknowingly downloaded by a user while visiting malicious websites. It may be manually installed by a user.

It bears the file icons of certain applications to avoid easy detection and consequent removal.

  TECHNICAL DETAILS

File Size: Varies
File Type: DEX
Memory Resident: Yes
Initial Samples Received Date: 14 Aug 2011
Payload: Record and collect calls, Answers calls, Steals information

Arrival Details

This spyware may be unknowingly downloaded by a user while visiting malicious websites.

It may be manually installed by a user.

Installation

This spyware bears the file icons of the following applications:

  • Google+

NOTES:

This spyware automatically executes upon boot up and runs the following services:

  • AlarmService
  • CallLogService
  • CallRecordService
  • CallsListenerService
  • CommandExecutorService
  • ContactService
  • EnvRecordService
  • GpsService
  • KeyguardLockService
  • LocationService
  • MainService
  • ManualLocalService
  • RegisterService
  • ScreenService
  • SmsControllerService
  • SmsService
  • SocketService
  • SyncContactService
  • UploadService

It performs the following routines:

  • Answer incoming calls automatically
  • Gathers the GPS location
  • Kill processes
  • Kill self
  • List processes
  • Obtain call logs
  • Record audio
  • Records calls made in the affected phone
  • Redirect SMS
  • Set listen time
  • Set upload time
  • Steals messages in the inbox and outbox of the affected phone
  • Upload information (GPS information, calls, SMS, log file, contacts)

Recorded calls (.AMR format) and call logs are stored in the following location:

  • /sdcard/mtm/data/

It sends the information it gathers to the following remote site using port 2018:

  • {BLOCKED}.61ing.com

  SOLUTION

Minimum Scan Engine: 8.900
TMMS Pattern File: 1.125.00
TMMS Pattern Date: 14 Aug 2011

Step 1

Trend Micro Mobile Security Solution

Trend Micro Mobile Security Personal Edition protects Android smartphones and tablets from malicious and Trojanized applications. The App Scanner is free and detects malicious and Trojanized apps as they are downloaded, while SmartSurfing blocks malicious websites using your device's Android browser.

Download and install the Trend Micro Mobile Security App via Google Play.

Step 2

Remove unwanted apps on your Android mobile device

[ Learn More ]

Did this description help? Tell us how we did.