Print Friendly and PDF
Android-Trojan spying,Trojan for OS Android,Android.Backdoor.260.origin,Android.BackDoor.42, and Utility Substrate ,
Virus analysts of "Doctor Web" explored new Trojan for OS Android, detected by security experts recently. This malware, named Android.Backdoor.260.origin, spreading among Chinese users and is designed for cyber-espionage. In particular, the Trojan is capable of intercepting SMS messages, to record telephone conversations, get the coordinates of an infected device, make screen shots, and even track the input data of smartphone owners.

android trojan
android trojan


Android.Backdoor.260.origin installed on mobile devices as an application with the name Android Update , so it is highly likely that the attackers are spreading Trojan under the 
 appearance of an important update to swindle potential victims and get them to install it.

Android.Backdoor.260.origin has a very complex modular architecture: a large part of its malicious functionality is concentrated in specially created by virus writers modules, which are placed inside the software package of malicious applications. When you first start the 

Trojan extracts the following subcomponents:

  • super;
  • detect;
  • liblocSDK4b.so;
  • libnativeLoad.so;
  • libPowerDetect.cy.so;
  • 1.dat;
  • libstay2.so;
  • libsleep4.so;
  • substrate_signed.apk;
  • cInstall.
Then he tries to run for execution with root-privileges binary cInstall (Antivirus detected by Dr.Web as Android.BackDoor.41). If successful, this malicious module fits into the system directories of the mobile device number previously extracted files, and also tries to silently install a specialized tool called "Substrate", extends the capabilities of applications and is used Android.Backdoor.260.origin to intercept data entered. If the root-malware powers were not provided, it will most likely install the required components it fails, causing the Trojan will not be able properly to perform most of its functions.

After the successful installation of all required modules Android.Backdoor.260.origin removes the label created by him earlier application and runs malicious system service Power Detect Service, activates a Trojan module lib native Load.so, added to the Dr.Web virus database as the Android.BackDoor.42, and Utility Substrate (Tool.Substrate.1.origin classification of "Doctor Web"). Importantly, by itself, this tool is not malicious, and is available for download in the catalog Google Play. However, in this case, it has been somewhat modified by virus writers and integrated intoAndroid.Backdoor.260.origin, causing the steel is potentially dangerous for users.

Involved a malicious Trojan component libnativeLoad.so starts to execute the file detect (Android.BackDoor.45), which initializes the job binaries 1.dat (Android.BackDoor.44). In turn, it activates the trojan library lib  sleep4.so (Android.BackDoor.46), which continuously creates screen shots of the infected device and intercepts data entered on the keyboard, as well as libraries libstay2.so (Android.BackDoor.43), stealing information from the phone book and track SMS messages and conversation in the messenger QQ.

In addition, the Trojan component 1.dat able to receive from the management server a number of teams, among which are the following:

  • "DOW" - download the file from the server;
  • "UPL" - download the file to the server;
  • "PLI", "PDL", "SDA" - update the malware, and Trojan settings;
  • "DIR" - get a list of files in a directory;
  • "DTK" - write the contents of a specified directory in a file;
  • "OSC", "STK" - to search for a specific file or directory;
  • "OSF" - you cancel the file search;
  • "DEL" - delete the selected file;
  • "SCP" - take a snapshot of the screen;
  • "BGS" - turn on the microphone and start audio recording;
  • "GPRS" - start tracking the user's location.
It is noteworthy that of the received command is executed 1.dat module independently, while for the rest of the performance, he refers to the functionality of other Trojans libraries that interact closely with each other via

UNIX sockets using the following double-byte commands:

  • 0x2633 - start audio recording on the built-in microphone;
  • 0x2634 - stop audio recording;
  • 0x2635 - update the configuration file for the audio recording;
  • 0x2629 - copy the contact numbers;
  • 0x2630 - copy the contact numbers;
  • 0x2631 - copy SMS messages;
  • 0x2632 - copy the call log;
  • 0x2628 - transmit information about the location of the mobile device;
  • 0x2532 - get the name of the process in which the user is working at the moment;
  • 0x2678 - used to transfer the data entered by the user.
The specialists of "Doctor Web" once again call on the owners of mobile Android-devices refuse to install questionable applications received from untrusted sources and recommend the use of reliable anti-virus program. Entries for TrojanAndroid.Backdoor.260.origin and all its harmful components included in the virus database Dr.Web, so for users of Dr.Web anti-virus for Android they are not a threat.


zubairsaif

Zubair saif

A passionate writer who loves to write on new technology and programming

Post A Comment:

0 comments: