Virus analysts of "Doctor Web" explored new Trojan for OS Android, detected by security experts recently. This malware, named Android.Backdoor.260.origin, spreading among Chinese users and is designed for cyber-espionage. In particular, the Trojan is capable of intercepting SMS messages, to record telephone conversations, get the coordinates of an infected device, make screen shots, and even track the input data of smartphone owners.
Android.Backdoor.260.origin installed on mobile devices as an application with the name Android Update , so it is highly likely that the attackers are spreading Trojan under the appearance of an important update to swindle potential victims and get them to install it.
Android.Backdoor.260.origin has a very complex modular architecture: a large part of its malicious functionality is concentrated in specially created by virus writers modules, which are placed inside the software package of malicious applications. When you first start the
After the successful installation of all required modules Android.Backdoor.260.origin removes the label created by him earlier application and runs malicious system service Power Detect Service, activates a Trojan module lib native Load.so, added to the Dr.Web virus database as the Android.BackDoor.42, and Utility Substrate (Tool.Substrate.1.origin classification of "Doctor Web"). Importantly, by itself, this tool is not malicious, and is available for download in the catalog Google Play. However, in this case, it has been somewhat modified by virus writers and integrated intoAndroid.Backdoor.260.origin, causing the steel is potentially dangerous for users.
Involved a malicious Trojan component libnativeLoad.so starts to execute the file detect (Android.BackDoor.45), which initializes the job binaries 1.dat (Android.BackDoor.44). In turn, it activates the trojan library lib sleep4.so (Android.BackDoor.46), which continuously creates screen shots of the infected device and intercepts data entered on the keyboard, as well as libraries libstay2.so (Android.BackDoor.43), stealing information from the phone book and track SMS messages and conversation in the messenger QQ.
 |
| android trojan |
Android.Backdoor.260.origin installed on mobile devices as an application with the name Android Update , so it is highly likely that the attackers are spreading Trojan under the appearance of an important update to swindle potential victims and get them to install it.
Android.Backdoor.260.origin has a very complex modular architecture: a large part of its malicious functionality is concentrated in specially created by virus writers modules, which are placed inside the software package of malicious applications. When you first start the
Trojan extracts the following subcomponents:
- super;
- detect;
- liblocSDK4b.so;
- libnativeLoad.so;
- libPowerDetect.cy.so;
- 1.dat;
- libstay2.so;
- libsleep4.so;
- substrate_signed.apk;
- cInstall.
After the successful installation of all required modules Android.Backdoor.260.origin removes the label created by him earlier application and runs malicious system service Power Detect Service, activates a Trojan module lib native Load.so, added to the Dr.Web virus database as the Android.BackDoor.42, and Utility Substrate (Tool.Substrate.1.origin classification of "Doctor Web"). Importantly, by itself, this tool is not malicious, and is available for download in the catalog Google Play. However, in this case, it has been somewhat modified by virus writers and integrated intoAndroid.Backdoor.260.origin, causing the steel is potentially dangerous for users.
Involved a malicious Trojan component libnativeLoad.so starts to execute the file detect (Android.BackDoor.45), which initializes the job binaries 1.dat (Android.BackDoor.44). In turn, it activates the trojan library lib sleep4.so (Android.BackDoor.46), which continuously creates screen shots of the infected device and intercepts data entered on the keyboard, as well as libraries libstay2.so (Android.BackDoor.43), stealing information from the phone book and track SMS messages and conversation in the messenger QQ.
In addition, the Trojan component 1.dat able to receive from the management server a number of teams, among which are the following:
- "DOW" - download the file from the server;
- "UPL" - download the file to the server;
- "PLI", "PDL", "SDA" - update the malware, and Trojan settings;
- "DIR" - get a list of files in a directory;
- "DTK" - write the contents of a specified directory in a file;
- "OSC", "STK" - to search for a specific file or directory;
- "OSF" - you cancel the file search;
- "DEL" - delete the selected file;
- "SCP" - take a snapshot of the screen;
- "BGS" - turn on the microphone and start audio recording;
- "GPRS" - start tracking the user's location.
UNIX sockets using the following double-byte commands:
- 0x2633 - start audio recording on the built-in microphone;
- 0x2634 - stop audio recording;
- 0x2635 - update the configuration file for the audio recording;
- 0x2629 - copy the contact numbers;
- 0x2630 - copy the contact numbers;
- 0x2631 - copy SMS messages;
- 0x2632 - copy the call log;
- 0x2628 - transmit information about the location of the mobile device;
- 0x2532 - get the name of the process in which the user is working at the moment;
- 0x2678 - used to transfer the data entered by the user.
Post A Comment:
0 comments: