ANDROIDOS_PJAPPS.C

 Analysis by: Roland Marco Dela Paz

 THREAT SUBTYPE:

Information Stealer, Premium Service Abuser, Click Fraud, Malicious Downloader

 PLATFORM:

Android OS

 OVERALL RISK RATING:
 DAMAGE POTENTIAL:
 DISTRIBUTION POTENTIAL:
 REPORTED INFECTION:

  • Threat Type: Backdoor

  • Destructiveness: No

  • Encrypted: Yes

  • In the wild: Yes

  OVERVIEW


This malware is bundled with legitimate Android apps.

It is a simplified and obfuscated version of ANDROIDOS_PJAPPS.D. It is a Trojanized version of TouchMix App, a normal gaming app, but the malware code runs as a service on the background as it is declared as a service.

At the start of service, the malware acquires the phone's IMEI and sends it to a remote server.

It also acts as an infection report to the server. If the server does not respond with the string "no"; it will send the IMEI to a phone number that it acquires by sending certain information to a remote site.

This backdoor may be manually installed by a user.

It connects to a website to send and receive information.

  TECHNICAL DETAILS

File Size:

274,076 bytes

File Type:

DEX

Memory Resident:

Yes

Initial Samples Received Date:

07 May 2011

Arrival Details

This backdoor may be manually installed by a user.

Installation

This backdoor drops the following files:

  • /sdcard/androidh.log
  • /sdcard/android.log

Backdoor Routine

This backdoor connects to the following websites to send and receive information:

  • http://{BLOCKED}ego91.com:8118/push/newandroidxml/

NOTES:
This malware is bundled with legitimate Android apps.

It is a simplified and obfuscated version of ANDROIDOS_PJAPPS.D. It is a Trojanized version of TouchMix App, a normal gaming app, but the malware code runs as a service on the background as it is declared as a service.

At the start of service, the malware acquires the phone's IMEI and sends it to the following server:

  • http://{BLOCKED}.meego91.com/mm.do?imei={parameter}
It also acts as an infection report to the server. If the server does not respond with the string "no"; it will send the IMEI to a phone number that it acquires by sending the following infomation to the site http://log.{BLOCKED}91.com:9033/android.log?{parameter}:
  • Device ID (IMEI)
  • SIM serial number (ICCID)
  • Subscriber ID (IMSI)

The file expected to be received is on an XML format. Specific commands are declared on tag, which can be any of the following:

  • note
    • sends an SMS to a phone number it received from the attacker, most probably a premium service number.
  • push
    • sends a spam SMS with a URL, to a phone numbers that it received from the attacker
  • soft
    • downloads and install APK packages
  • window
    • shows a dialog box with bbuttons to visit certain URL
  • mark
    • adds URL to the bookmark with specified title.
  • xbox
    • This command is also on the code of the malware, but it is not implemented.
  • MMS monitor

It is also capable of blocking all incoming MMS if the data on /sdcard/android.log is equal to "12345". It also has a code that blocks received SMS, if the sender’s phone number matches the data on /sdcard/android.log. However, the said code is not executed in this particular variant.

It also writes logs on the file /sdcard/androidh.log.

  SOLUTION

Minimum Scan Engine:

8.900

TMMS Pattern File:

1.105.00

TMMS Pattern Date:

13 Jul 2011

Step 1

Trend Micro Mobile Security Solution

Trend Micro Mobile Security Personal Edition protects Android smartphones and tablets from malicious and Trojanized applications. The App Scanner is free and detects malicious and Trojanized apps as they are downloaded, while SmartSurfing blocks malicious websites using your device's Android browser.

Download and install the Trend Micro Mobile Security App via Google Play.

Step 2

Remove unwanted apps on your Android mobile device

[ Learn More ]

Did this description help? Tell us how we did.