ANDROIDOS_TROJSMS.A

This Android malware is able to evade Google’s Bouncer.

To get a one-glance comprehensive view of the behavior of this Trojan, refer to the Threat Diagram shown below.

This Trojan sends out text messages to premium service providers without users' permission. This routine bills users unknowingly.

It was found in Google Play, Google's official Android app store. As of this writing, Google has removed the said app from the app store.

This Trojan may be downloaded by other malware/grayware from remote sites.

Arrival Details

This Trojan may be downloaded by the following malware/grayware from remote sites:

• http://dl.dropbox.com/u/{BLOCKED}8/Activator.apk

Propagation

This Trojan sends out the following messages:

DEF1773 to 1518
4037+random number to 3170
DEF1773 to 770656

NOTES:

This Trojan sends out text messages to premium service providers without users' permission. This routine bills users unknowingly.

It checks the current mobile operator name of the SIM card upon launching on an affected mobile device. Based on the operator name, it sends specific messages body to different phone numbers.

If the operator name begins with BEE (not case sensitive), it sends the message DEF1773 to the number 518. It also sends 4037{random number} to 3170.

If the operator name begins with MTS (not case sensitive), it sends the message DEF1773 to the number 770656. It also sends 4037{random number} to 3170.

If the operator name is empty, it shows a dialog box with Russian language stating that the wallpaper cannot be loaded and to try again later.