ANDROIDOS_SMSSPY.DT

October 09, 2012
 Analysis by: Bob Pan
 THREAT SUBTYPE:

Information Stealer, Spying Tool

 PLATFORM:

Android OS

 OVERALL RISK RATING:
 DAMAGE POTENTIAL:
 DISTRIBUTION POTENTIAL:
 REPORTED INFECTION:

  • Threat Type: Spyware

  • Destructiveness: No

  • Encrypted: No

  • In the wild: Yes

  OVERVIEW

Infection Channel:

Via app stores

This spyware may be downloaded from app stores/third party app stores.

  TECHNICAL DETAILS

File Size:

145180 bytes

File Type:

APK

Memory Resident:

Yes

Initial Samples Received Date:

18 May 2012

Payload:

Steals information

Arrival Details

This spyware may be downloaded from app stores/third party app stores.

NOTES:

It declares to use the following permissions:

name
description
android.permission.READ_SMS read SMS or MMS
android.permission.WRITE_EXTERNAL_STORAGE modify/delete SD card contnts
android.permission.ACCESS_NETWORK_STATE view network state
android.permission.INTERNET full Internet access
android.permission.RECEIVE_BOOT_COMPLETED automatically start at boot
android.permission.CHANGE_COMPONENT_ENABLED_STATE enabled or disable an app component
android.permission.PROCESS_OUTGOING_CALLS intercept outgoing calls

When the malware is executed, it configures the FTP server and the phone number. The phone number is a key in reopening the setting panel. By setting the phone number, the cybercriminals can dial the phone number on the device and show the panel.

After clicking the “Start Logging” button, it hides its icon and asks the users to reboot.

It logs SMS to /sdcard/.androidsecuritytest/Log.sda, and sends the file to a specific FTP server.

Once the cybercriminals access the setting panel, they can perform the following capabilities:

  • Install spyware on the device
  • Click the app icon to execute the app
  • Set the FTP server and phone number
  • Sends SMS (inbox and outbox) to the FTP server

  SOLUTION

Minimum Scan Engine:

9.200

TMMS Pattern File:

1.243.00

Step 1

Remove unwanted apps on your Android mobile device

[ Learn More ]

Step 2

Scan your computer with your Trend Micro product to delete files detected as ANDROIDOS_SMSSPY.DT. If the detected files have already been cleaned, deleted, or quarantined by your Trend Micro product, no further step is required. You may opt to simply delete the quarantined files. Please check this Knowledge Base page for more information.


Did this description help? Tell us how we did.