arrow_back
search
close

ANDROIDOS_PJAPPS.D

October 09, 2012
 Analysis by: Roland Marco Dela Paz
 THREAT SUBTYPE:

Information Stealer, Premium Service Abuser, Click Fraud, Malicious Downloader

 PLATFORM:

Android OS

 OVERALL RISK RATING:
 DAMAGE POTENTIAL:
 DISTRIBUTION POTENTIAL:
 REPORTED INFECTION:

  • Threat Type: Backdoor

  • Destructiveness: No

  • Encrypted: No

  • In the wild: Yes

  OVERVIEW

This malware arrives via a Trojanized Android game.

It is installed together with a normal app called Steamy Window by Swiss code monkeys.

It adds its malicious code as a service so that the user cannot monitor its routine.

The malicious service will start once there are changes on the signal of the phone.

It asks for more permission than the original Steamy Window. The malicious service starts once there are changes in the phone's signal.

It connects to certain sites and sends information.

A remote user can send certain commands to the infected phone.

This backdoor may be manually installed by a user.

  TECHNICAL DETAILS

File Size:

215,408 bytes

File Type:

DEX

Memory Resident:

Yes

Initial Samples Received Date:

07 May 2011

Arrival Details

This backdoor may be manually installed by a user.

Installation

This backdoor drops the following files:

  • /data/app/com.appspot.swisscodemonkeys.steam-1.apk
  • /sdcard/androidh.log
  • /sdcard/android.log

NOTES:
This malware arrives via a Trojanized Android game.

It is installed together with a normal app called Steamy Window by Swiss code monkeys.

It adds its malicious code as a service so that the user cannot monitor its routine.

The malicious service will start once there are changes on the signal of the phone.

It asks for more permission than the original Steamy Window. The malicious service starts once there are changes in the phone's signal.

It connects to a site and sends the following information:

  • IMEI
  • Phone number
  • Subscriber ID

Sites for logging its routines, send information and get new commands:

  • {BLOCKED}g.{BLOCKED}91.com:9033/{Parameters}
  • {BLOCKED}le.{BLOCKED}91.com/{Parameters}
  • {BLOCKED}l.{BLOCKED}91.com:8118/{Parameters}

A remote user can send a command to the infected phone, such as:

  • Installs applications
  • Navigates websites via any of the following browsers:
    • com.uc.browser
    • com.tencent.mtt
    • com.opera.mini.android
    • mobi.mgeek.TunnyBrowser
    • com.skyfire.browser
    • com.kolbysoft.steel
    • com.android.browser
  • Adds browser bookmarks and sets the following as defaults aside from adding other bookmarks:
    • {BLOCKED}d.{BLOCKED}jiao.cn
    • {BLOCKED}2.{BLOCKED}o.cn
    • {BLOCKED}g3.cn
  • send text messages
  • block text message responses

  SOLUTION

Minimum Scan Engine:

8.900

TMMS Pattern File:

1.103.00

TMMS Pattern Date:

05 Jun 2011

Step 1

Trend Micro Mobile Security Solution

Trend Micro Mobile Security Personal Edition protects Android smartphones and tablets from malicious and Trojanized applications. The App Scanner is free and detects malicious and Trojanized apps as they are downloaded, while SmartSurfing blocks malicious websites using your device's Android browser.

Download and install the Trend Micro Mobile Security App via Google Play.

Step 2

Remove unwanted apps on your Android mobile device

[ Learn More ]

Did this description help? Tell us how we did.