ANDROIDOS_SPITMO.A

This malware is said to be related to the crimeware SpyEye. It drops intercepted SMS to command and control servers that are related to SpyEye.

To get a one-glance comprehensive view of the behavior of this Spyware, refer to the Threat Diagram shown below.

Upon execution, it monitors outgoing calls to 325000.

If the user attempts to dial the number, it immediately ends the call then displays a fake activation code.

Aside from this, it also intercepts SMS messages and sends them via SMS or HTTP.

This spyware may be unknowingly downloaded by a user while visiting malicious websites.

Arrival Details

This spyware may be unknowingly downloaded by a user while visiting malicious websites.

It may be downloaded from the following remote sites:

• www.{BLOCKED}dseguridad.com/simseg.apk

NOTES:

Upon execution, it monitors outgoing calls to 325000.

If the user attempts to dial the number, it immediately ends the call then displays a fake activation code.

This activation code is hardcoded in the malware body.

Aside from this, it also intercepts SMS messages and sends them via SMS or HTTP. If it sends by HTTP, it appends the following to the URL where it sends the intercepted SMS messages:

• ?sender={sender}&receiver={receiver}&text={message}

The URLs where it drops intercepted messages are as follows:

• {BLOCKED}2.com/sms/gate.php
• {BLOCKED}fsaf.com/sms/gate.php
• {BLOCKED}af.com/sms/gate.php
• {BLOCKED}fsaffa.com/sms/gate.php

Via SMS, this malware sends to "123", a value configured insettings.XML.

The aforementioned URLs are related to the command and control servers related to the SpyEye malware family.