Analysis by: Jordan Pan
 THREAT SUBTYPE:

Information Stealer

 PLATFORM:

AndroidOS

 OVERALL RISK RATING:
 DAMAGE POTENTIAL:
 DISTRIBUTION POTENTIAL:
 REPORTED INFECTION:
 INFORMATION EXPOSURE:

  • Threat Type: Trojan

  • Destructiveness: No

  • Encrypted:

  • In the wild: Yes

  OVERVIEW

This Trojan drops and runs other files on the device. This is the Trend Micro detection for Android applications bundled with malicious code.

  TECHNICAL DETAILS

File Size: 151398 bytes
Memory Resident: Yes
Initial Samples Received Date: 17 Apr 2017

Mobile Malware Routine

This Trojan is a file that collects the following information on an affected mobile device:

  • SMS information
  • contact information
  • imsi
  • phone number
  • bank card information

It sends the gathered information via HTTP POST to the following URL(s):

  • http://{BLOCKED}.{BLOCKED}.2.242

It drops and executes the following file(s):

  • indicate fake bank apps

It blocks the received SMS, not allowing the user to read the received message.

It displays the following:

  • fake bank page

It arrives as a file downloaded from remote sites offering free download of the following apps:

  • fake bank apps

Upon installation, it asks for the following permissions:

  • android.permission.ACCESS_WIFI_STATE
  • android.permission.CHANGE_WIFI_STATE
  • android.permission.WAKE_LOCK
  • android.permission.WRITE_EXTERNAL_STORAGE
  • android.permission.READ_PHONE_STATE
  • android.permission.SEND_SMS
  • android.permission.RECEIVE_SMS
  • android.permission.READ_CONTACTS
  • android.permission.WRITE_CONTACTS
  • android.permission.RECEIVE_BOOT_COMPLETED
  • android.permission.MODIFY_PHONE_STATE
  • android.permission.CALL_PHONE
  • android.permission.WRITE_CONTACTS
  • android.permission.WRITE_CALL_LOG
  • com.android.launcher.permission.INSTALL_SHORTCUT
  • com.android.launcher.permission.UNINSTALL_SHORTCUT
  • android.permission.RECEIVE_BOOT_COMPLETED
  • android.permission.RESTART_PACKAGES
  • android.permission.GET_TASKS
  • android.permission.KILL_BACKGROUND_PROCESSES
  • android.permission.SYSTEM_ALERT_WINDOW
  • android.permission.READ_LOGS
  • android.permission.VIBRATE
  • android.permission.MODIFY_AUDIO_SETTINGS
  • android.permission.INTERNET
  • android.permission.ACCESS_NETWORK_STATE

This is the Trend Micro detection for Android applications bundled with malicious code.

It is capable of doing the following:

  • Requests device administrator privilege
  • Once executed, it checks the compromised device for Korean banking applications with the indicated package names
  • Delete and replace any of the indicated official bank applications. It finds with malicious versions with identical package names.
  • The malicious applications allow an attacker to steal the sensitive information (banking details, SMS, contacts, phone number) from the compromised device and upload.

  SOLUTION

Minimum Scan Engine: 9.850

Trend Micro Mobile Security Solution

Trend Micro Mobile Security Personal Edition protects Android and iOS smartphones and tablets from malicious and Trojanized applications. It blocks access to malicious websites, increase device performance, and protects your mobile data. You may download the Trend Micro Mobile Security apps from the following sites:


Did this description help? Tell us how we did.