This malware masquerades as popular apps like MMS, whatsapp, and Pokemon Go. It is capable of hijacking a phone and is capable of many actions including calling a number or sending an SMS indicated by an attacker, upload files into a C&C server, and steal information.
Backdoor Routine
This Backdoor posts the following information to its command and control (C&C) server:
- call logs
- SMS records
- contacts
- phone numbers
- SIM serial number
- location
- and browser bookmarks
- Android OS version
- username
- Wi-Fi
- battery
- Bluetooth
- audio states
- UiMode
- sensor
- data from camera, browser, and searches
- service processes
- activity information
- wallpaper
NOTES:
This malware receives commands from the following C&C servers:
- {BLOCKED}ife.ddns.net
- {BLOCKED}e.ddns.net
- {BLOCKED}-ip.biz
- {BLOCKED}e.no-ip.biz
The command that allows attackers to manipulate the device’s functionalities without the owner’s consent or knowledge.
Below is a list of some of the action codes and what each does to the device:
- ACTION CODE =10, 11: Control the Wi-Fi state
- ACTION CODE= 34: Monitor the phone sensors’ data in real time
- ACTION CODE= 37: Set phone’s UiMode, like night mode/car mode
- ACTION CODE= 41: Control the vibrate function, including the pattern and when it will vibrate
- ACTION CODE= 46: Download pictures as wallpaper
- ACTION CODE= 48: List the file information in the current directory and upload it to the C&C server
- ACTION CODE= 49: Delete a file in the indicated directory
- ACTION CODE= 50: Rename a file in the indicated directory
- ACTION CODE= 51: Upload a desired file to the C&C server
- ACTION CODE= 52: Create an indicated directory
- ACTION CODE= 60: Use the text to speech feature (translate text to voice/audio)
- ACTION CODE= 62: Send SMS/MMS to a number specified by the attacker; the content can also be customized
- ACTION CODE= 68: Delete browser history
- ACTION CODE= 70: Delete SMS
- ACTION CODE= 74: Download file
- ACTION CODE= 75: Call a phone number indicated by the attacker
- ACTION CODE= 77: Open activity view-related apps; the Uniform Resource Identifier (URI) can also be specified by the attacker (open browser, map, dial view, etc.)
- ACTION CODE= 78: Control the system infrared transmitter
- ACTION CODE= 79: Run a shell command specified by the attacker and upload the output result