arrow_back
search
close

ANDROIDOS_PJAP.A

March 20, 2013
 Analysis by: Karl Dominguez
 THREAT SUBTYPE:

Information Stealer, Premium Service Abuser, Click Fraud, Malicious Downloader

 PLATFORM:

Android OS

 OVERALL RISK RATING:
 DAMAGE POTENTIAL:
 DISTRIBUTION POTENTIAL:
 REPORTED INFECTION:

  • Threat Type: Trojan

  • Destructiveness: No

  • Encrypted: Yes

  • In the wild: Yes

  OVERVIEW

This Android malware arrives bundled with modified applications that can be downloaded from unofficial Android Market websites.

This backdoor is capable of sending SMS, downloading other applications, adding bookmarks, and visiting URLs. It also gathers certain device information and sends it to a remote URL.

It saves a log of its activities in a file. It sends device information to a certain URL:

The malware receives commands from a certain URL. It receives and executes backdoor commands for the malicious user.

This malware automatically adds certain URLs to the phone's book marks. More URLs can be received and added by the malware when commanded.

The malware may also send SMS to premium numbers.

This Trojan may be unknowingly downloaded by a user while visiting malicious websites.

  TECHNICAL DETAILS

File Size:

208,318 bytes

File Type:

DEX

Memory Resident:

Yes

Initial Samples Received Date:

01 Apr 2011

Payload:

Steals information, Compromises system security

Arrival Details

This Trojan may be unknowingly downloaded by a user while visiting malicious websites.

NOTES:
This Android malware arrives bundled with modified applications that can be downloaded from unofficial Android Market websites. This backdoor is capable of sending SMS, downloading other applications, adding bookmarks, and visiting URLs. It also gathers the following device information and sends it to a remote URL:

  • IMEI
  • IMSI
  • Phone Number
  • ICCID
  • SIM serial number
It saves a log of its activities in the following file:
  • /sdcard/androidh.log
It sends the said device information to the following URL.
  • log.{BLOCKED}d188.com:9033/window.log?id={paramaters}
The malware receives commands from the following URL:
  • xml.{BLOCKED}d188.com:8118/push/androidxml/{paramaters}
It receives and executes any of the following backdoor commands for the malicious user:
  • execMark - Add a bookmark
  • execPush - send spam SMS, contents of message are controlled by the remote user.
  • execSoft - install a new application
  • execTanc - unknown command
  • execXbox - visit a URL
This malware automatically adds the following URLs to the phone's bookmarks. More URLs can be received and added by the malware when commanded.
  • http://{BLOCKED}d.paojiao.cn
  • http://{BLOCKED}2.{BLOCKED}o.cn
  • http://{BLOCKED}g3.cn
The malware may also send SMS to the following premium numbers:
  • 10086
  • 10010

  SOLUTION

Minimum Scan Engine:

8.900

TMMS Pattern File:

1.101.00

TMMS Pattern Date:

24 May 2011

Step 1

Trend Micro Mobile Security Solution

Trend Micro Mobile Security Personal Edition protects Android smartphones and tablets from malicious and Trojanized applications. The App Scanner is free and detects malicious and Trojanized apps as they are downloaded, while SmartSurfing blocks malicious websites using your device's Android browser.

Download and install the Trend Micro Mobile Security App via Google Play.

Step 2

Remove unwanted apps on your Android mobile device

[ Learn More ]

Did this description help? Tell us how we did.