ANDROIDOS_LIANGOU.HRX

This Trojan monitors all incoming and outgoing calls. It displays pop-up advertisements. This is the Trend Micro detection for Android applications bundled with malicious code.

Mobile Malware Routine

This Trojan accesses the following malicious URL(s) to download file(s):

• http://www.{BLOCKED}3.com/star/sifang/
• http://m.{BLOCKED}z.com/h/meihuo/
• http://m.{BLOCKED}3.com/gaoqingmeinv/
• http://www.{BLOCKED}1.com/xinggan/
• http://www.{BLOCKED}2.cc/xingganmeinv/
• http://www.{BLOCKED}z.com/a/xingganmeinv/
• http://m.{BLOCKED}u.com/

It monitors all incoming and outgoing calls.

It displays pop-up advertisements.

Upon installation, it asks for the following permissions:

• android.permission.RECEIVE_BOOT_COMPLETED
• android.permission.SEND_SMS
• android.permission.RECEIVE_SMS
• android.permission.READ_SMS
• android.permission.WRITE_SMS
• android.permission.RECEIVE_MMS
• android.permission.RECEIVE_WAP_PUSH
• android.permission.INTERNET
• android.permission.ACCESS_NETWORK_STATE
• android.permission.READ_PHONE_STATE
• android.permission.CHANGE_NETWORK_STATE
• android.permission.CHANGE_WIFI_STATE
• android.permission.ACCESS_WIFI_STATE
• android.permission.DEVICE_POWER
• android.permission.WAKE_LOCK
• android.permission.WRITE_APN_SETTINGS
• android.permission.WRITE_SETTINGS
• android.permission.WRITE_EXTERNAL_STORAGE
• android.permission.MOUNT_UNMOUNT_FILESYSTEMS
• android.permission.INTERNET
• android.permission.READ_PHONE_STATE
• android.permission.ACCESS_NETWORK_STATE
• android.permission.ACCESS_WIFI_STATE
• android.permission.CHANGE_WIFI_STATE
• android.permission.BLUETOOTH
• android.permission.WRITE_EXTERNAL_STORAGE
• android.permission.RECEIVE_BOOT_COMPLETED
• android.permission.GET_TASKS
• android.permission.PACKAGE_USAGE_STATS
• android.permission.CHANGE_NETWORK_STATE
• android.permission.BROADCAST_STICKY
• android.permission.INSTALL_PACKAGES
• android.permission.DELETE_PACKAGES
• android.permission.WRITE_SECURE_SETTINGS
• android.permission.WAKE_LOCK
• android.permission.GET_TASKS
• android.permission.SYSTEM_ALERT_WINDOW
• android.permission.PACKAGE_USAGE_STATS
• com.android.launcher.permission.READ_SETTINGS
• com.android.launcher.permission.WRITE_SETTINGS
• com.android.launcher.permission.INSTALL_SHORTCUT
• com.android.launcher.permission.UNINSTALL_SHORTCUT
• android.permission.READ_EXTERNAL_STORAGE
• android.permission.MOUNT_UNMOUNT_FILESYSTEMS
• android.permission.READ_OWNER_DATA

This is the Trend Micro detection for Android applications bundled with malicious code.

It is capable of doing the following:

• download unwanted apps
• push adult ads
• register as device admin

NOTES:
The app installs itself as a call monitor and manager. However, in the background, it runs as an unwanted app downloader as well as pops porn advertisements. Once users click one of these ads, it pushes users to install unwanted applications. If the device is rooted, the app can install the unwanted apps in the background without user permission. In addition, the app registers as device admin. If the users activated the device admin option, they cannot deactivate or uninstall it. If the users try to uninstall the app, it locks the screen and displays the following message: