The particular app that was Trojanized was a racing game called “Fast Racing.” For a game, this Trojanized version needs a lot of permissions–more than is typical for an app like this.
When the phone boots, the malware will start its service named Market. It seems that the malware writer used this name to trick the user that it is just a harmless service.
Like previous Android malware, it monitors the user’s incoming text messages. Once a message is received, it will record the message and the original sender, and copy this to a text file named zjsms.txt. Similarly, logs of incoming and outgoing calls are also kept. These are saved as as zjphonecall.txt.
This malware is also capable of communicating to a remote command-and-control (C&C) server. Currently, this particular server is located at http://{BLOCKED}r.gicp.net. However, unlike previous Android malware (which used hard-coded server URLs), this attack can connect to alternative servers if instructed to do so by its current C&C server. In addition, it can also update itself, which may be an attempt to make it harder to detect and remove.
Whatever C&C server it uses, it can phone home and send the phone’s information such as device ID, subscriber ID, and SIM Serial Number using this link:
- http://{C&C server}/zj/RegistUid.aspx?
It can upload files as well (including any call and SMS logs maintained):
- http://{C&C server}/zj/upload/UploadFiles.aspx
- install\uninstall apps
- make a call
- send a text message
By: Kervin Alintanahin (Threats Analyst)
Original Source: http://blog.trendmicro.com/new-android-malware-on-the-road-golddream-catcher/
0 comments:
Post a Comment