ANDROIDOS_FAKETIMER.A

This malware is used to leverage one-click billing fraud attacks targeted at Android users. Said attacks could result in loss of funds on the users' part.

To get a one-glance comprehensive view of the behavior of this Trojan, refer to the Threat Diagram shown below.

This Trojan may be unknowingly downloaded by a user while visiting malicious websites.

Arrival Details

This Trojan may be unknowingly downloaded by a user while visiting malicious websites.

It may be downloaded from the following remote sites:

• http://{BLOCKED}unga3.blog26.fc2.com

NOTES:

It arrives in the system when users click a malicious link from search results of "Game Dunga".

Upon execution, it accesses the following malicious URL:

• http://{BLOCKED}com.com/rgst5.php

The user is then asked to pay to view adult content.

After clicking OK, it displays the terms and information such as the user's mobile number, user ID, amount to be paid and its due date. The password is given after the user has paid in the following screen shot.

It accesses the following site:

• http://{BLOCKED}com.com/send.php?a_id={device id}&telno={line 1 number}&m_addr={account name}&usr_id={value from http post}

where:

• {device id} = a unique device ID such as IMEI, MEID or ESN
• {line 1 number} = mobile number
• {account name} = name of accounts registered in the mobile device in order to login to online accounts
• {value from http post} = the reply obtained from http://{BLOCKED}com.com/entry.php?id=4 HTTP POST