- Threat Encyclopedia
- Malware
- ANDROIDOS_GONFU.A
Rooting Tool
Android OS
This malware roots the device using components employed by ANDROIDOS_LOTOOR.A. However, the said components are encrypted with AES and are decrypted at the time that they are used by using a certain decryption key.
It uses its root privilege to install a malicious package named, LEGACY found in its assets folder. This is installed on the system folder. This is done so that the malware can stay in the device even if the Trojanized Android app is already removed.
It has a service called, SearchService, which is responsible for all its backdoor routines.
It gathers mobile-specific data.
It then posts the gathered information to a certain URL.
Varies
Yes
09 Jun 2011
Steals information, Compromises system security
Arrival Details
This malware arrives via the following means:
NOTES:
This malware roots the device using components employed by ANDROIDOS_LOTOOR.A. However, the said components are encrypted with AES and are decrypted at the time that they are used by using the decryption key, "Fuck_sExy-aLl!Pw."
It uses its root privilege to install a malicious package named, LEGACY found in its assets folder. This is installed on the system folder as /system/app/com.google.ssearch.apk. This is done so that the malware can stay in the device even if the Trojanized Android app is already removed.
It has a service called, SearchService, which is responsible for all its backdoor routines.
It gathers the following data:
It then posts the gathered information to the following URL:
It also sends a malware specific string, sp051, which is probably its version number.
It also sets the value of root to 1 if the device has successfully been rooted or 0 if it is not. This status is also sent to the server.
The following are the list of its backdoor routines:
The said commands are obtained from the following URL:
It reports the result (if it fails to complete the command or not) on the following URL:
8.900
1.105.00
13 Jun 2011
NOTES:
Trend Micro Mobile Security Solution
Trend Micro Mobile Security Personal Edition protects Android smartphones and tablets from malicious and Trojanized applications. The App Scanner is free and detects malicious and Trojanized apps as they are downloaded, while SmartSurfing blocks malicious websites using your device's Android browser.
Download and install the Trend Micro Mobile Security App via the Android Market.
Remove unwanted apps on your Android mobile device
To remove unwanted apps on your mobile device: