Analysis by: Veo Zhang
 THREAT SUBTYPE:

Information Stealer, Premium Service Abuser, Click Fraud, Malicious Downloader, Spying Tool

 PLATFORM:

Android OS

 OVERALL RISK RATING:
 DAMAGE POTENTIAL:
 DISTRIBUTION POTENTIAL:
 REPORTED INFECTION:

  • Threat Type: Backdoor

  • Destructiveness: No

  • Encrypted:

  • In the wild: Yes

  TECHNICAL DETAILS

File Size: 2210912 bytes
File Type: APK
Memory Resident: Yes
Initial Samples Received Date: 15 May 2013
Payload: Compromises system security

Arrival Details

This backdoor may be downloaded from the following remote sites:

  • http://{BLOCKED}ram.com

NOTES:

It is distributed via Instagram spam, which lures users into getting ‘Free Followers’ by using this malware.

It uses the following names to trick users into thinking this legitimate:

  • Signal Booster
  • Battery Booster

On the background, it connects to the following URL to receive commands in sending premium SMS and leaking user device information:

  • http://{BLOCKED}8.mobi/pat.php

It also uses C2DM protocol to connect to another server where it waits for its remote commands. The following are the said remote commands:

  • Creates an icon on home screen
  • Pushes artibitary notification, which can potentially bring more threats on the affected device
  • Opens a certain URL
  • Sends SMS to received number

  SOLUTION

Minimum Scan Engine: 9.300
TMMS Pattern File: 1.473.00
TMMS Pattern Date: 17 May 2013

Step 1

Trend Micro Mobile Security Solution

Trend Micro Mobile Security Personal Edition protects Android smartphones and tablets from malicious and Trojanized applications. The App Scanner is free and detects malicious and Trojanized apps as they are downloaded, while SmartSurfing blocks malicious websites using your device's Android browser.

Download and install the Trend Micro Mobile Security App via Google Play.

Step 2

Scan your computer with your Trend Micro product to delete files detected as ANDROIDOS_GCMBOT.A. If the detected files have already been cleaned, deleted, or quarantined by your Trend Micro product, no further step is required. You may opt to simply delete the quarantined files. Please check this Knowledge Base page for more information.


Did this description help? Tell us how we did.