ANDROIDOS_LENA.B

NOTES:

This backdoor arrives through Trojanized Android apps which require root privilege. Below is a screenshot of an infected app:

It requests permissions outside the intended functionality of the Trojanized app such as the following:

This backdoor installs itself in the /system/lib directory and performs system modifications so that it runs before the Android operating system starts.

It gathers the following information from the affected device:

• Android version string
• Brand name of the phone
• Device ID (IMEI for GSM)
• Model name of the phone
• SDK version of the framework

It is capable of executing the following commands:

• Display Ads
• Download, install, and execute an .APK file
• Update itself

It is capable of displaying advertisements on the affected device by downloading a configuration file from the site http://ad.{BLOCKED}droid.com:7500/ad/nadp.php?.It then parses the downloaded configuration which contains details such as ad link, font details, ad text, alignment, ad icon, and others.

This backdoor connects to the following sites to send and receive information:

• http://amob.{BLOCKED}6.com
• http://r2.{BLOCKED}o.com/adweb
• http://ad.{BLOCKED}droid.com:7500
• http://cast.ra.{BLOCKED}a.com

It may use proxy connections by connecting to the site http://proxy.{BLOCKED}w.cn/api/proxy.