The Latest in IT Security

Conversation-spying Android Trojan

03
Aug
2011

It seems that the Android malware are improving day by day. we have received an interesting malware which can log the calls, records the whole conversation, and even send them to the Bad guy.

Most of the previous Android malware were either sending the text messages or making call to the
premium service numbers, in order to make the easy money.

This particular Trojan records conversations in AMR format, as allowed by the permissions the user has approved:

When the program is installed, it requests permissions to allow it to perform the following actions:

Access Cell-ID and WiFi location
Access Cell-ID and WiFi updates
Access GPS location
Access information about WiFi networks
Allow low-level access to power management
Allow read only access to phone state
Allow the use of PowerManager WakeLocks to keep the processor from sleeping or the screen from dimming
Initiate a phone call without going through the Dialer user interface (so that the user is unaware of any outgoing calls made by the Trojan)
Monitor, modify, or abort outgoing calls
Open network sockets
Read SMS messages
Read the user’s contacts data
Record audio
Send SMS messages
Write (but not read) the user’s contacts data
Write SMS messages
Write to external storage

When the Trojan is executed, it registers itself to start whenever the device starts by listening for the following command:
android.permission.ACTION_BOOT_COMPLETED

It may then start any of the following services:

GpsService
MainService
RecordService
SocketService
XM_SmsListener
XM_CallListener
XM_CallRecordService

The program sends an SMS containing the IMEI of the device to the following phone number:
15859268161

It then records the following information:

All phone call content
GPS infomation
Received SMS messages
Sent SMS messages

The above information is written to the SD card in the following location:
/sdcard/shangzhou/callrecord/

The gathered information is then sent to the following location on port 2018:
jin.56mo.com

The best defense against this sort of malware is to pay attention to the permissions that the app is asking for. Ask yourself – does this app really need all these capabilities? If in doubt, say no!

Those who have missed our earlier post, we have released our product for Andriod Phone. Quick Heal Mobile Security for Android detects the file as Android.Nickispy.A.

To avail the introductory 50% discount offer please visit our Quick Heal Mobile Security page here.

To download the free trial version for your Android device please visit Android market by clicking on below link.



Leave a reply


Categories

FRIDAY, OCTOBER 23, 2020
WHITE PAPERS

Mission-Critical Broadband – Why Governments Should Partner with Commercial Operators:
Many governments embrace mobile network operator (MNO) networks as ...

ARA at Scale: How to Choose a Solution That Grows With Your Needs:
Application release automation (ARA) tools enable best practices in...

The Multi-Model Database:
Part of the “new normal” where data and cloud applications are ...

Featured

Archives

Latest Comments