Analysis by: Weichao Sun


Information Stealer


Android OS


  • Threat Type: Trojan

  • Destructiveness: No

  • Encrypted: No

  • In the wild: Yes


Infection Channel: Via app stores

This malware is a cross-platform threat, affecting both Android and Windows.

To get a one-glance comprehensive view of the behavior of this Trojan, refer to the Threat Diagram shown below.


File Size: 330,984 bytes
File Type: APK
Memory Resident: Yes
Initial Samples Received Date: 16 Jan 2013
Payload: Steals information, Downloads files


This malware presents itself as a system cleaner that helps you clean and speed up your system. After installation, it shows the icon launcher below:

Once the malicious app is launched, the user will see the home screen:

The app presents several different “clean options” for the user to choose, but they actually do nothing except show a process bar.

At the same time, this malware starts up a service, which is really malicious, in background.

This malware registers a location listener to collect and upload user location information through HTTP to the following server:


This malware also receives commands from the following C&C server:


The protocol used by malware to communicate with C&C server is a self-defined protocol.

This malware executes several routines such as:

  • Send SMS messages
  • Delete SMS messages
  • Steal contact list
  • Track GPS location
  • Make phone calls
  • Execute shell command

What makes this malware unique is the command usb_autorun_attack. After this command is received, the malware will download three files from the server {BLOCKED}.{BLOCKED} and store them in the SD card.

One of the three downloaded files is a classic auto-run malware on Windows. If the user selects the USB mode on their mobile device and connects it to a Windows PC, this malware (svchosts.exe) will run automatically. On Windows, this auto-run malware is designed to record your voice with the microphone .


Minimum Scan Engine: 9.300
VSAPI OPR PATTERN File: 1.405.00
VSAPI OPR PATTERN Date: 08 Feb 2013
TMMS Pattern File: 1.405.00
TMMS Pattern Date: 08 Feb 2013

Step 1

Trend Micro Mobile Security Solution

Trend Micro Mobile Security Personal Edition protects Android smartphones and tablets from malicious and Trojanized applications. The App Scanner is free and detects malicious and Trojanized apps as they are downloaded, while SmartSurfing blocks malicious websites using your device's Android browser.

Download and install the Trend Micro Mobile Security App via Google Play.

Step 2

Remove unwanted apps on your Android mobile device

[ Learn More ]

Did this description help? Tell us how we did.