ANDROIDOS_MASKSYS.HRX
Information Stealer, Malicious Downloader, Rooting Tool
AndroidOS

Threat Type: Trojan
Destructiveness: Yes
Encrypted:
In the wild: Yes
OVERVIEW
Also known as Ghost Push, this malware are downloaded by unsuspecting users in third party app stores.
After it roots the device, it steals personal information, installs unwanted apps and ads that automatically runs the on startup. It also installs in the device's ROM and encrypts critical strings to avoid detection and deletion.
This Trojan gathers device information. It downloads malicious files. It drops and runs other files on the device. This is the Trend Micro detection for Android applications that can be used to root Android devices.
TECHNICAL DETAILS
Mobile Malware Routine
This Trojan gathers the following device information:
- country
- androidversion
- MAC
- imsi
- imei
- packagename
- language
It downloads the following malicious files:
- downloads unwanted apps and ads
It accesses the following malicious URL(s) to download file(s):
- http://active.{BLOCKED}S7.COM/gmview
- http://api.{BLOCKED}cb.com
- http://api.{BLOCKED}poi.com
- http://api.{BLOCKED}1n.com
- http://api.{BLOCKED}s7.com
It drops and executes the following file(s):
- install-recovery.sh
This is the Trend Micro detection for Android applications that can be used to root Android devices. Rooting enables the user to have elevated rights and permissions to access the Android subsystem.
Upon installation, it asks for the following permissions:
- android.permission.ACCESS_NETWORK_STATE
- android.permission.ACCESS_WIFI_STATE
- android.permission.CHANGE_WIFI_STATEandroid.permission.INTERNET
- android.permission.RECEIVE_USER_PRESENT
- android.permission.WRITE_EXTERNAL_STORAGE
- android.permission.READ_PHONE_STATE
- android.permission.KILL_BACKGROUND_PROCESSES
- com.android.launcher.permission.INSTALL_SHORTCUT
- android.permission.ACCESS_SUPERUSER
- android.permission.INTERNET
- android.permission.READ_PHONE_STATE
- android.permission.ACCESS_WIFI_STATE
- android.permission.ACCESS_NETWORK_STATE
- android.permission.CAMERA
- android.permission.ACCESS_MTK_MMHW
- android.permission.READ_SETTINGS
- android.permission.WRITE_SETTINGS
- android.permission.GET_ACCOUNTS
It is capable of doing the following:
- automatically running the app on startup
NOTES:
Also known as Ghost Push, this malware are downloaded by unsuspecting users in third party app stores.
The shell APK file decodes a DEX file in the assets folder. This file is sometimes named protect.apk. Once done, the app runs the malicious DEX file without showing any icon or notification.
After it roots the device, it steals personal information, installs unwanted apps and ads that automatically runs the on startup. It also installs in the device's ROM and encrypts critical strings to avoid detection and deletion.
Unlike with older variants, this version uses the Process watcher command as a guard code to monitor existing processes in the device and ensure that malicious routines are running. This guard code also helps the malware calculate how much remaining space there is left for installing malicious apps.
SOLUTION
Trend Micro Mobile Security Solution
Trend Micro Mobile Security Personal Edition protects Android and iOS smartphones and tablets from malicious and Trojanized applications. It blocks access to malicious websites, increase device performance, and protects your mobile data. You may download the Trend Micro Mobile Security apps from the following sites:
Did this description help? Tell us how we did.