Security Intelligence Center

Navigation Back up to About Overview
Mobile Signatures

Juniper Networks Mobile Threat Center (MTC) research facility is a unique organization dedicated to conducting around-the-clock security, vulnerability and malware research tailored specifically to mobile device platforms and technologies. The MTC examines increasingly sophisticated attacks as well as new threat vectors for mobile cybercrime, and the potential for exploitation and misuse of mobile devices and data.

ANDROID

A.ADRD.1

Name A.ADRD.1
Category
Release Date 2011/03/09
Update Number 1

ADRD appears in Android applications that have been pirated from official applications. Android applications are downloaded from the official Android Market, they are unpacked, the malicious ADRD code is inserted into the application, it is repackaged and then distributed on unofficial, 3rd party application repositories. As of now, ADRD is only known to exist in Chinese application repositories, but this threat could spread to other 3rd party sites relatively easily. Once the attackers have been able to trick a user into downloading the application to their SD card and installing, it will register itself to execute when one of the following conditions have been met: Twelve hours have passed since the OS started Network connectivity changed, The device receives a phone call ADRD then attempts to gather up the following information: 3gnet 3gwap APN cmnet cmwap Hardware information IMEI IMSI Network connectivity uninet uniwap Wifi Next, the Trojan encrypts the stolen information and attempts to send it to the following locations: [http://]adrd.taxuan.net/index[REMOVED] [http://]adrd.xiaxiab.com/pic.[REMOVED] After ADRD has sent the above mentioned information to the remote servers, it receives a series of instructions that tells the trojan to begin initiating the search engine manipulation activities by sending multiple HTTP requests to the following location: wap.baidu.com/s?word=[ENCODED SEARCH STRING]&vit=uni&from=[ID] The purpose of these search requests is to increase site rankings for a website. ADRD also has the ability to be updated remotely by downloading and installing new version of itself: sdcard/uc/myupdate.apk

A.ADRD.10

Name A.ADRD.10
Category
Release Date 2011/03/09
Update Number 1

ADRD appears in Android applications that have been pirated from official applications. Android applications are downloaded from the official Android Market, they are unpacked, the malicious ADRD code is inserted into the application, it is repackaged and then distributed on unofficial, 3rd party application repositories. As of now, ADRD is only known to exist in Chinese application repositories, but this threat could spread to other 3rd party sites relatively easily. Once the attackers have been able to trick a user into downloading the application to their SD card and installing, it will register itself to execute when one of the following conditions have been met: Twelve hours have passed since the OS started Network connectivity changed, The device receives a phone call ADRD then attempts to gather up the following information: 3gnet 3gwap APN cmnet cmwap Hardware information IMEI IMSI Network connectivity uninet uniwap Wifi Next, the Trojan encrypts the stolen information and attempts to send it to the following locations: [http://]adrd.taxuan.net/index[REMOVED] [http://]adrd.xiaxiab.com/pic.[REMOVED] After ADRD has sent the above mentioned information to the remote servers, it receives a series of instructions that tells the trojan to begin initiating the search engine manipulation activities by sending multiple HTTP requests to the following location: wap.baidu.com/s?word=[ENCODED SEARCH STRING]&vit=uni&from=[ID] The purpose of these search requests is to increase site rankings for a website. ADRD also has the ability to be updated remotely by downloading and installing new version of itself: sdcard/uc/myupdate.apk

A.ADRD.11

Name A.ADRD.11
Category
Release Date 2011/03/09
Update Number 1

ADRD appears in Android applications that have been pirated from official applications. Android applications are downloaded from the official Android Market, they are unpacked, the malicious ADRD code is inserted into the application, it is repackaged and then distributed on unofficial, 3rd party application repositories. As of now, ADRD is only known to exist in Chinese application repositories, but this threat could spread to other 3rd party sites relatively easily. Once the attackers have been able to trick a user into downloading the application to their SD card and installing, it will register itself to execute when one of the following conditions have been met: Twelve hours have passed since the OS started Network connectivity changed, The device receives a phone call ADRD then attempts to gather up the following information: 3gnet 3gwap APN cmnet cmwap Hardware information IMEI IMSI Network connectivity uninet uniwap Wifi Next, the Trojan encrypts the stolen information and attempts to send it to the following locations: [http://]adrd.taxuan.net/index[REMOVED] [http://]adrd.xiaxiab.com/pic.[REMOVED] After ADRD has sent the above mentioned information to the remote servers, it receives a series of instructions that tells the trojan to begin initiating the search engine manipulation activities by sending multiple HTTP requests to the following location: wap.baidu.com/s?word=[ENCODED SEARCH STRING]&vit=uni&from=[ID] The purpose of these search requests is to increase site rankings for a website. ADRD also has the ability to be updated remotely by downloading and installing new version of itself: sdcard/uc/myupdate.apk

A.ADRD.12

Name A.ADRD.12
Category
Release Date 2011/03/09
Update Number 1

ADRD appears in Android applications that have been pirated from official applications. Android applications are downloaded from the official Android Market, they are unpacked, the malicious ADRD code is inserted into the application, it is repackaged and then distributed on unofficial, 3rd party application repositories. As of now, ADRD is only known to exist in Chinese application repositories, but this threat could spread to other 3rd party sites relatively easily. Once the attackers have been able to trick a user into downloading the application to their SD card and installing, it will register itself to execute when one of the following conditions have been met: Twelve hours have passed since the OS started Network connectivity changed, The device receives a phone call ADRD then attempts to gather up the following information: 3gnet 3gwap APN cmnet cmwap Hardware information IMEI IMSI Network connectivity uninet uniwap Wifi Next, the Trojan encrypts the stolen information and attempts to send it to the following locations: [http://]adrd.taxuan.net/index[REMOVED] [http://]adrd.xiaxiab.com/pic.[REMOVED] After ADRD has sent the above mentioned information to the remote servers, it receives a series of instructions that tells the trojan to begin initiating the search engine manipulation activities by sending multiple HTTP requests to the following location: wap.baidu.com/s?word=[ENCODED SEARCH STRING]&vit=uni&from=[ID] The purpose of these search requests is to increase site rankings for a website. ADRD also has the ability to be updated remotely by downloading and installing new version of itself: sdcard/uc/myupdate.apk

A.ADRD.13

Name A.ADRD.13
Category
Release Date 2011/03/09
Update Number 1

ADRD appears in Android applications that have been pirated from official applications. Android applications are downloaded from the official Android Market, they are unpacked, the malicious ADRD code is inserted into the application, it is repackaged and then distributed on unofficial, 3rd party application repositories. As of now, ADRD is only known to exist in Chinese application repositories, but this threat could spread to other 3rd party sites relatively easily. Once the attackers have been able to trick a user into downloading the application to their SD card and installing, it will register itself to execute when one of the following conditions have been met: Twelve hours have passed since the OS started Network connectivity changed, The device receives a phone call ADRD then attempts to gather up the following information: 3gnet 3gwap APN cmnet cmwap Hardware information IMEI IMSI Network connectivity uninet uniwap Wifi Next, the Trojan encrypts the stolen information and attempts to send it to the following locations: [http://]adrd.taxuan.net/index[REMOVED] [http://]adrd.xiaxiab.com/pic.[REMOVED] After ADRD has sent the above mentioned information to the remote servers, it receives a series of instructions that tells the trojan to begin initiating the search engine manipulation activities by sending multiple HTTP requests to the following location: wap.baidu.com/s?word=[ENCODED SEARCH STRING]&vit=uni&from=[ID] The purpose of these search requests is to increase site rankings for a website. ADRD also has the ability to be updated remotely by downloading and installing new version of itself: sdcard/uc/myupdate.apk

A.ADRD.14

Name A.ADRD.14
Category
Release Date 2011/03/09
Update Number 1

ADRD appears in Android applications that have been pirated from official applications. Android applications are downloaded from the official Android Market, they are unpacked, the malicious ADRD code is inserted into the application, it is repackaged and then distributed on unofficial, 3rd party application repositories. As of now, ADRD is only known to exist in Chinese application repositories, but this threat could spread to other 3rd party sites relatively easily. Once the attackers have been able to trick a user into downloading the application to their SD card and installing, it will register itself to execute when one of the following conditions have been met: Twelve hours have passed since the OS started Network connectivity changed, The device receives a phone call ADRD then attempts to gather up the following information: 3gnet 3gwap APN cmnet cmwap Hardware information IMEI IMSI Network connectivity uninet uniwap Wifi Next, the Trojan encrypts the stolen information and attempts to send it to the following locations: [http://]adrd.taxuan.net/index[REMOVED] [http://]adrd.xiaxiab.com/pic.[REMOVED] After ADRD has sent the above mentioned information to the remote servers, it receives a series of instructions that tells the trojan to begin initiating the search engine manipulation activities by sending multiple HTTP requests to the following location: wap.baidu.com/s?word=[ENCODED SEARCH STRING]&vit=uni&from=[ID] The purpose of these search requests is to increase site rankings for a website. ADRD also has the ability to be updated remotely by downloading and installing new version of itself: sdcard/uc/myupdate.apk

A.ADRD.15

Name A.ADRD.15
Category
Release Date 2011/03/09
Update Number 1

ADRD appears in Android applications that have been pirated from official applications. Android applications are downloaded from the official Android Market, they are unpacked, the malicious ADRD code is inserted into the application, it is repackaged and then distributed on unofficial, 3rd party application repositories. As of now, ADRD is only known to exist in Chinese application repositories, but this threat could spread to other 3rd party sites relatively easily. Once the attackers have been able to trick a user into downloading the application to their SD card and installing, it will register itself to execute when one of the following conditions have been met: Twelve hours have passed since the OS started Network connectivity changed, The device receives a phone call ADRD then attempts to gather up the following information: 3gnet 3gwap APN cmnet cmwap Hardware information IMEI IMSI Network connectivity uninet uniwap Wifi Next, the Trojan encrypts the stolen information and attempts to send it to the following locations: [http://]adrd.taxuan.net/index[REMOVED] [http://]adrd.xiaxiab.com/pic.[REMOVED] After ADRD has sent the above mentioned information to the remote servers, it receives a series of instructions that tells the trojan to begin initiating the search engine manipulation activities by sending multiple HTTP requests to the following location: wap.baidu.com/s?word=[ENCODED SEARCH STRING]&vit=uni&from=[ID] The purpose of these search requests is to increase site rankings for a website. ADRD also has the ability to be updated remotely by downloading and installing new version of itself: sdcard/uc/myupdate.apk

A.ADRD.16

Name A.ADRD.16
Category
Release Date 2011/03/09
Update Number 1

ADRD appears in Android applications that have been pirated from official applications. Android applications are downloaded from the official Android Market, they are unpacked, the malicious ADRD code is inserted into the application, it is repackaged and then distributed on unofficial, 3rd party application repositories. As of now, ADRD is only known to exist in Chinese application repositories, but this threat could spread to other 3rd party sites relatively easily. Once the attackers have been able to trick a user into downloading the application to their SD card and installing, it will register itself to execute when one of the following conditions have been met: Twelve hours have passed since the OS started Network connectivity changed, The device receives a phone call ADRD then attempts to gather up the following information: 3gnet 3gwap APN cmnet cmwap Hardware information IMEI IMSI Network connectivity uninet uniwap Wifi Next, the Trojan encrypts the stolen information and attempts to send it to the following locations: [http://]adrd.taxuan.net/index[REMOVED] [http://]adrd.xiaxiab.com/pic.[REMOVED] After ADRD has sent the above mentioned information to the remote servers, it receives a series of instructions that tells the trojan to begin initiating the search engine manipulation activities by sending multiple HTTP requests to the following location: wap.baidu.com/s?word=[ENCODED SEARCH STRING]&vit=uni&from=[ID] The purpose of these search requests is to increase site rankings for a website. ADRD also has the ability to be updated remotely by downloading and installing new version of itself: sdcard/uc/myupdate.apk

A.ADRD.17

Name A.ADRD.17
Category
Release Date 2011/03/09
Update Number 1

ADRD appears in Android applications that have been pirated from official applications. Android applications are downloaded from the official Android Market, they are unpacked, the malicious ADRD code is inserted into the application, it is repackaged and then distributed on unofficial, 3rd party application repositories. As of now, ADRD is only known to exist in Chinese application repositories, but this threat could spread to other 3rd party sites relatively easily. Once the attackers have been able to trick a user into downloading the application to their SD card and installing, it will register itself to execute when one of the following conditions have been met: Twelve hours have passed since the OS started Network connectivity changed, The device receives a phone call ADRD then attempts to gather up the following information: 3gnet 3gwap APN cmnet cmwap Hardware information IMEI IMSI Network connectivity uninet uniwap Wifi Next, the Trojan encrypts the stolen information and attempts to send it to the following locations: [http://]adrd.taxuan.net/index[REMOVED] [http://]adrd.xiaxiab.com/pic.[REMOVED] After ADRD has sent the above mentioned information to the remote servers, it receives a series of instructions that tells the trojan to begin initiating the search engine manipulation activities by sending multiple HTTP requests to the following location: wap.baidu.com/s?word=[ENCODED SEARCH STRING]&vit=uni&from=[ID] The purpose of these search requests is to increase site rankings for a website. ADRD also has the ability to be updated remotely by downloading and installing new version of itself: sdcard/uc/myupdate.apk

A.ADRD.18

Name A.ADRD.18
Category
Release Date 2011/03/09
Update Number 1

ADRD appears in Android applications that have been pirated from official applications. Android applications are downloaded from the official Android Market, they are unpacked, the malicious ADRD code is inserted into the application, it is repackaged and then distributed on unofficial, 3rd party application repositories. As of now, ADRD is only known to exist in Chinese application repositories, but this threat could spread to other 3rd party sites relatively easily. Once the attackers have been able to trick a user into downloading the application to their SD card and installing, it will register itself to execute when one of the following conditions have been met: Twelve hours have passed since the OS started Network connectivity changed, The device receives a phone call ADRD then attempts to gather up the following information: 3gnet 3gwap APN cmnet cmwap Hardware information IMEI IMSI Network connectivity uninet uniwap Wifi Next, the Trojan encrypts the stolen information and attempts to send it to the following locations: [http://]adrd.taxuan.net/index[REMOVED] [http://]adrd.xiaxiab.com/pic.[REMOVED] After ADRD has sent the above mentioned information to the remote servers, it receives a series of instructions that tells the trojan to begin initiating the search engine manipulation activities by sending multiple HTTP requests to the following location: wap.baidu.com/s?word=[ENCODED SEARCH STRING]&vit=uni&from=[ID] The purpose of these search requests is to increase site rankings for a website. ADRD also has the ability to be updated remotely by downloading and installing new version of itself: sdcard/uc/myupdate.apk

A.ADRD.19

Name A.ADRD.19
Category
Release Date 2011/03/09
Update Number 1

ADRD appears in Android applications that have been pirated from official applications. Android applications are downloaded from the official Android Market, they are unpacked, the malicious ADRD code is inserted into the application, it is repackaged and then distributed on unofficial, 3rd party application repositories. As of now, ADRD is only known to exist in Chinese application repositories, but this threat could spread to other 3rd party sites relatively easily. Once the attackers have been able to trick a user into downloading the application to their SD card and installing, it will register itself to execute when one of the following conditions have been met: Twelve hours have passed since the OS started Network connectivity changed, The device receives a phone call ADRD then attempts to gather up the following information: 3gnet 3gwap APN cmnet cmwap Hardware information IMEI IMSI Network connectivity uninet uniwap Wifi Next, the Trojan encrypts the stolen information and attempts to send it to the following locations: [http://]adrd.taxuan.net/index[REMOVED] [http://]adrd.xiaxiab.com/pic.[REMOVED] After ADRD has sent the above mentioned information to the remote servers, it receives a series of instructions that tells the trojan to begin initiating the search engine manipulation activities by sending multiple HTTP requests to the following location: wap.baidu.com/s?word=[ENCODED SEARCH STRING]&vit=uni&from=[ID] The purpose of these search requests is to increase site rankings for a website. ADRD also has the ability to be updated remotely by downloading and installing new version of itself: sdcard/uc/myupdate.apk

A.ADRD.2

Name A.ADRD.2
Category
Release Date 2011/03/09
Update Number 1

ADRD appears in Android applications that have been pirated from official applications. Android applications are downloaded from the official Android Market, they are unpacked, the malicious ADRD code is inserted into the application, it is repackaged and then distributed on unofficial, 3rd party application repositories. As of now, ADRD is only known to exist in Chinese application repositories, but this threat could spread to other 3rd party sites relatively easily. Once the attackers have been able to trick a user into downloading the application to their SD card and installing, it will register itself to execute when one of the following conditions have been met: Twelve hours have passed since the OS started Network connectivity changed, The device receives a phone call ADRD then attempts to gather up the following information: 3gnet 3gwap APN cmnet cmwap Hardware information IMEI IMSI Network connectivity uninet uniwap Wifi Next, the Trojan encrypts the stolen information and attempts to send it to the following locations: [http://]adrd.taxuan.net/index[REMOVED] [http://]adrd.xiaxiab.com/pic.[REMOVED] After ADRD has sent the above mentioned information to the remote servers, it receives a series of instructions that tells the trojan to begin initiating the search engine manipulation activities by sending multiple HTTP requests to the following location: wap.baidu.com/s?word=[ENCODED SEARCH STRING]&vit=uni&from=[ID] The purpose of these search requests is to increase site rankings for a website. ADRD also has the ability to be updated remotely by downloading and installing new version of itself: sdcard/uc/myupdate.apk

A.ADRD.20

Name A.ADRD.20
Category
Release Date 2011/03/09
Update Number 1

ADRD appears in Android applications that have been pirated from official applications. Android applications are downloaded from the official Android Market, they are unpacked, the malicious ADRD code is inserted into the application, it is repackaged and then distributed on unofficial, 3rd party application repositories. As of now, ADRD is only known to exist in Chinese application repositories, but this threat could spread to other 3rd party sites relatively easily. Once the attackers have been able to trick a user into downloading the application to their SD card and installing, it will register itself to execute when one of the following conditions have been met: Twelve hours have passed since the OS started Network connectivity changed, The device receives a phone call ADRD then attempts to gather up the following information: 3gnet 3gwap APN cmnet cmwap Hardware information IMEI IMSI Network connectivity uninet uniwap Wifi Next, the Trojan encrypts the stolen information and attempts to send it to the following locations: [http://]adrd.taxuan.net/index[REMOVED] [http://]adrd.xiaxiab.com/pic.[REMOVED] After ADRD has sent the above mentioned information to the remote servers, it receives a series of instructions that tells the trojan to begin initiating the search engine manipulation activities by sending multiple HTTP requests to the following location: wap.baidu.com/s?word=[ENCODED SEARCH STRING]&vit=uni&from=[ID] The purpose of these search requests is to increase site rankings for a website. ADRD also has the ability to be updated remotely by downloading and installing new version of itself: sdcard/uc/myupdate.apk

A.ADRD.21

Name A.ADRD.21
Category
Release Date 2011/03/09
Update Number 1

ADRD appears in Android applications that have been pirated from official applications. Android applications are downloaded from the official Android Market, they are unpacked, the malicious ADRD code is inserted into the application, it is repackaged and then distributed on unofficial, 3rd party application repositories. As of now, ADRD is only known to exist in Chinese application repositories, but this threat could spread to other 3rd party sites relatively easily. Once the attackers have been able to trick a user into downloading the application to their SD card and installing, it will register itself to execute when one of the following conditions have been met: Twelve hours have passed since the OS started Network connectivity changed, The device receives a phone call ADRD then attempts to gather up the following information: 3gnet 3gwap APN cmnet cmwap Hardware information IMEI IMSI Network connectivity uninet uniwap Wifi Next, the Trojan encrypts the stolen information and attempts to send it to the following locations: [http://]adrd.taxuan.net/index[REMOVED] [http://]adrd.xiaxiab.com/pic.[REMOVED] After ADRD has sent the above mentioned information to the remote servers, it receives a series of instructions that tells the trojan to begin initiating the search engine manipulation activities by sending multiple HTTP requests to the following location: wap.baidu.com/s?word=[ENCODED SEARCH STRING]&vit=uni&from=[ID] The purpose of these search requests is to increase site rankings for a website. ADRD also has the ability to be updated remotely by downloading and installing new version of itself: sdcard/uc/myupdate.apk

A.ADRD.22

Name A.ADRD.22
Category
Release Date 2011/03/09
Update Number 1

ADRD appears in Android applications that have been pirated from official applications. Android applications are downloaded from the official Android Market, they are unpacked, the malicious ADRD code is inserted into the application, it is repackaged and then distributed on unofficial, 3rd party application repositories. As of now, ADRD is only known to exist in Chinese application repositories, but this threat could spread to other 3rd party sites relatively easily. Once the attackers have been able to trick a user into downloading the application to their SD card and installing, it will register itself to execute when one of the following conditions have been met: Twelve hours have passed since the OS started Network connectivity changed, The device receives a phone call ADRD then attempts to gather up the following information: 3gnet 3gwap APN cmnet cmwap Hardware information IMEI IMSI Network connectivity uninet uniwap Wifi Next, the Trojan encrypts the stolen information and attempts to send it to the following locations: [http://]adrd.taxuan.net/index[REMOVED] [http://]adrd.xiaxiab.com/pic.[REMOVED] After ADRD has sent the above mentioned information to the remote servers, it receives a series of instructions that tells the trojan to begin initiating the search engine manipulation activities by sending multiple HTTP requests to the following location: wap.baidu.com/s?word=[ENCODED SEARCH STRING]&vit=uni&from=[ID] The purpose of these search requests is to increase site rankings for a website. ADRD also has the ability to be updated remotely by downloading and installing new version of itself: sdcard/uc/myupdate.apk

A.ADRD.23

Name A.ADRD.23
Category
Release Date 2011/03/09
Update Number 1

ADRD appears in Android applications that have been pirated from official applications. Android applications are downloaded from the official Android Market, they are unpacked, the malicious ADRD code is inserted into the application, it is repackaged and then distributed on unofficial, 3rd party application repositories. As of now, ADRD is only known to exist in Chinese application repositories, but this threat could spread to other 3rd party sites relatively easily. Once the attackers have been able to trick a user into downloading the application to their SD card and installing, it will register itself to execute when one of the following conditions have been met: Twelve hours have passed since the OS started Network connectivity changed, The device receives a phone call ADRD then attempts to gather up the following information: 3gnet 3gwap APN cmnet cmwap Hardware information IMEI IMSI Network connectivity uninet uniwap Wifi Next, the Trojan encrypts the stolen information and attempts to send it to the following locations: [http://]adrd.taxuan.net/index[REMOVED] [http://]adrd.xiaxiab.com/pic.[REMOVED] After ADRD has sent the above mentioned information to the remote servers, it receives a series of instructions that tells the trojan to begin initiating the search engine manipulation activities by sending multiple HTTP requests to the following location: wap.baidu.com/s?word=[ENCODED SEARCH STRING]&vit=uni&from=[ID] The purpose of these search requests is to increase site rankings for a website. ADRD also has the ability to be updated remotely by downloading and installing new version of itself: sdcard/uc/myupdate.apk

A.ADRD.24

Name A.ADRD.24
Category
Release Date 2011/03/29
Update Number 1

ADRD appears in Android applications that have been pirated from official applications. Android applications are downloaded from the official Android Market, they are unpacked, the malicious ADRD code is inserted into the application, it is repackaged and then distributed on unofficial, 3rd party application repositories. As of now, ADRD is only known to exist in Chinese application repositories, but this threat could spread to other 3rd party sites relatively easily. Once the attackers have been able to trick a user into downloading the application to their SD card and installing, it will register itself to execute when one of the following conditions have been met: Twelve hours have passed since the OS started Network connectivity changed, The device receives a phone call ADRD then attempts to gather up the following information: 3gnet 3gwap APN cmnet cmwap Hardware information IMEI IMSI Network connectivity uninet uniwap Wifi Next, the Trojan encrypts the stolen information and attempts to send it to the following locations: [http://]adrd.taxuan.net/index[REMOVED] [http://]adrd.xiaxiab.com/pic.[REMOVED] After ADRD has sent the above mentioned information to the remote servers, it receives a series of instructions that tells the trojan to begin initiating the search engine manipulation activities by sending multiple HTTP requests to the following location: wap.baidu.com/s?word=[ENCODED SEARCH STRING]&vit=uni&from=[ID] The purpose of these search requests is to increase site rankings for a website. ADRD also has the ability to be updated remotely by downloading and installing new version of itself: sdcard/uc/myupdate.apk

A.ADRD.25

Name A.ADRD.25
Category
Release Date 2011/09/07
Update Number 7

ADRD appears in Android applications that have been pirated from official applications. Android applications are downloaded from the official Android Market, they are unpacked, the malicious ADRD code is inserted into the application, it is repackaged and then distributed on unofficial, 3rd party application repositories. As of now, ADRD is only known to exist in Chinese application repositories, but this threat could spread to other 3rd party sites relatively easily. Once the attackers have been able to trick a user into downloading the application to their SD card and installing, it will register itself to execute when one of the following conditions have been met: Twelve hours have passed since the OS started Network connectivity changed, The device receives a phone call ADRD then attempts to gather up the following information: 3gnet 3gwap APN cmnet cmwap Hardware information IMEI IMSI Network connectivity uninet uniwap Wifi Next, the Trojan encrypts the stolen information and attempts to send it to the following locations: [http://]adrd.taxuan.net/index[REMOVED] [http://]adrd.xiaxiab.com/pic.[REMOVED] After ADRD has sent the above mentioned information to the remote servers, it receives a series of instructions that tells the trojan to begin initiating the search engine manipulation activities by sending multiple HTTP requests to the following location: wap.baidu.com/s?word=[ENCODED SEARCH STRING]&vit=uni&from=[ID] The purpose of these search requests is to increase site rankings for a website. ADRD also has the ability to be updated remotely by downloading and installing new version of itself: sdcard/uc/myupdate.apk

A.ADRD.26

Name A.ADRD.26
Category
Release Date 2011/12/21
Update Number 43

ADRD appears in Android applications that have been pirated from official applications. Android applications are downloaded from the official Android Market, they are unpacked, the malicious ADRD code is inserted into the application, it is repackaged and then distributed on unofficial, 3rd party application repositories. As of now, ADRD is only known to exist in Chinese application repositories, but this threat could spread to other 3rd party sites relatively easily. Once the attackers have been able to trick a user into downloading the application to their SD card and installing, it will register itself to execute when one of the following conditions have been met: Twelve hours have passed since the OS started Network connectivity changed, The device receives a phone call ADRD then attempts to gather up the following information: 3gnet 3gwap APN cmnet cmwap Hardware information IMEI IMSI Network connectivity uninet uniwap Wifi Next, the Trojan encrypts the stolen information and attempts to send it to the following locations: [http://]adrd.taxuan.net/index[REMOVED] [http://]adrd.xiaxiab.com/pic.[REMOVED] After ADRD has sent the above mentioned information to the remote servers, it receives a series of instructions that tells the trojan to begin initiating the search engine manipulation activities by sending multiple HTTP requests to the following location: wap.baidu.com/s?word=[ENCODED SEARCH STRING]&vit=uni&from=[ID] The purpose of these search requests is to increase site rankings for a website. ADRD also has the ability to be updated remotely by downloading and installing new version of itself: sdcard/uc/myupdate.apk

A.ADRD.27

Name A.ADRD.27
Category
Release Date 2011/12/21
Update Number 43

ADRD appears in Android applications that have been pirated from official applications. Android applications are downloaded from the official Android Market, they are unpacked, the malicious ADRD code is inserted into the application, it is repackaged and then distributed on unofficial, 3rd party application repositories. As of now, ADRD is only known to exist in Chinese application repositories, but this threat could spread to other 3rd party sites relatively easily. Once the attackers have been able to trick a user into downloading the application to their SD card and installing, it will register itself to execute when one of the following conditions have been met: Twelve hours have passed since the OS started Network connectivity changed, The device receives a phone call ADRD then attempts to gather up the following information: 3gnet 3gwap APN cmnet cmwap Hardware information IMEI IMSI Network connectivity uninet uniwap Wifi Next, the Trojan encrypts the stolen information and attempts to send it to the following locations: [http://]adrd.taxuan.net/index[REMOVED] [http://]adrd.xiaxiab.com/pic.[REMOVED] After ADRD has sent the above mentioned information to the remote servers, it receives a series of instructions that tells the trojan to begin initiating the search engine manipulation activities by sending multiple HTTP requests to the following location: wap.baidu.com/s?word=[ENCODED SEARCH STRING]&vit=uni&from=[ID] The purpose of these search requests is to increase site rankings for a website. ADRD also has the ability to be updated remotely by downloading and installing new version of itself: sdcard/uc/myupdate.apk

A.ADRD.3

Name A.ADRD.3
Category
Release Date 2011/03/09
Update Number 1

ADRD appears in Android applications that have been pirated from official applications. Android applications are downloaded from the official Android Market, they are unpacked, the malicious ADRD code is inserted into the application, it is repackaged and then distributed on unofficial, 3rd party application repositories. As of now, ADRD is only known to exist in Chinese application repositories, but this threat could spread to other 3rd party sites relatively easily. Once the attackers have been able to trick a user into downloading the application to their SD card and installing, it will register itself to execute when one of the following conditions have been met: Twelve hours have passed since the OS started Network connectivity changed, The device receives a phone call ADRD then attempts to gather up the following information: 3gnet 3gwap APN cmnet cmwap Hardware information IMEI IMSI Network connectivity uninet uniwap Wifi Next, the Trojan encrypts the stolen information and attempts to send it to the following locations: [http://]adrd.taxuan.net/index[REMOVED] [http://]adrd.xiaxiab.com/pic.[REMOVED] After ADRD has sent the above mentioned information to the remote servers, it receives a series of instructions that tells the trojan to begin initiating the search engine manipulation activities by sending multiple HTTP requests to the following location: wap.baidu.com/s?word=[ENCODED SEARCH STRING]&vit=uni&from=[ID] The purpose of these search requests is to increase site rankings for a website. ADRD also has the ability to be updated remotely by downloading and installing new version of itself: sdcard/uc/myupdate.apk

A.ADRD.4

Name A.ADRD.4
Category
Release Date 2011/03/09
Update Number 1

ADRD appears in Android applications that have been pirated from official applications. Android applications are downloaded from the official Android Market, they are unpacked, the malicious ADRD code is inserted into the application, it is repackaged and then distributed on unofficial, 3rd party application repositories. As of now, ADRD is only known to exist in Chinese application repositories, but this threat could spread to other 3rd party sites relatively easily. Once the attackers have been able to trick a user into downloading the application to their SD card and installing, it will register itself to execute when one of the following conditions have been met: Twelve hours have passed since the OS started Network connectivity changed, The device receives a phone call ADRD then attempts to gather up the following information: 3gnet 3gwap APN cmnet cmwap Hardware information IMEI IMSI Network connectivity uninet uniwap Wifi Next, the Trojan encrypts the stolen information and attempts to send it to the following locations: [http://]adrd.taxuan.net/index[REMOVED] [http://]adrd.xiaxiab.com/pic.[REMOVED] After ADRD has sent the above mentioned information to the remote servers, it receives a series of instructions that tells the trojan to begin initiating the search engine manipulation activities by sending multiple HTTP requests to the following location: wap.baidu.com/s?word=[ENCODED SEARCH STRING]&vit=uni&from=[ID] The purpose of these search requests is to increase site rankings for a website. ADRD also has the ability to be updated remotely by downloading and installing new version of itself: sdcard/uc/myupdate.apk

A.ADRD.5

Name A.ADRD.5
Category
Release Date 2011/03/09
Update Number 1

ADRD appears in Android applications that have been pirated from official applications. Android applications are downloaded from the official Android Market, they are unpacked, the malicious ADRD code is inserted into the application, it is repackaged and then distributed on unofficial, 3rd party application repositories. As of now, ADRD is only known to exist in Chinese application repositories, but this threat could spread to other 3rd party sites relatively easily. Once the attackers have been able to trick a user into downloading the application to their SD card and installing, it will register itself to execute when one of the following conditions have been met: Twelve hours have passed since the OS started Network connectivity changed, The device receives a phone call ADRD then attempts to gather up the following information: 3gnet 3gwap APN cmnet cmwap Hardware information IMEI IMSI Network connectivity uninet uniwap Wifi Next, the Trojan encrypts the stolen information and attempts to send it to the following locations: [http://]adrd.taxuan.net/index[REMOVED] [http://]adrd.xiaxiab.com/pic.[REMOVED] After ADRD has sent the above mentioned information to the remote servers, it receives a series of instructions that tells the trojan to begin initiating the search engine manipulation activities by sending multiple HTTP requests to the following location: wap.baidu.com/s?word=[ENCODED SEARCH STRING]&vit=uni&from=[ID] The purpose of these search requests is to increase site rankings for a website. ADRD also has the ability to be updated remotely by downloading and installing new version of itself: sdcard/uc/myupdate.apk

A.ADRD.6

Name A.ADRD.6
Category
Release Date 2011/03/09
Update Number 1

ADRD appears in Android applications that have been pirated from official applications. Android applications are downloaded from the official Android Market, they are unpacked, the malicious ADRD code is inserted into the application, it is repackaged and then distributed on unofficial, 3rd party application repositories. As of now, ADRD is only known to exist in Chinese application repositories, but this threat could spread to other 3rd party sites relatively easily. Once the attackers have been able to trick a user into downloading the application to their SD card and installing, it will register itself to execute when one of the following conditions have been met: Twelve hours have passed since the OS started Network connectivity changed, The device receives a phone call ADRD then attempts to gather up the following information: 3gnet 3gwap APN cmnet cmwap Hardware information IMEI IMSI Network connectivity uninet uniwap Wifi Next, the Trojan encrypts the stolen information and attempts to send it to the following locations: [http://]adrd.taxuan.net/index[REMOVED] [http://]adrd.xiaxiab.com/pic.[REMOVED] After ADRD has sent the above mentioned information to the remote servers, it receives a series of instructions that tells the trojan to begin initiating the search engine manipulation activities by sending multiple HTTP requests to the following location: wap.baidu.com/s?word=[ENCODED SEARCH STRING]&vit=uni&from=[ID] The purpose of these search requests is to increase site rankings for a website. ADRD also has the ability to be updated remotely by downloading and installing new version of itself: sdcard/uc/myupdate.apk

A.ADRD.7

Name A.ADRD.7
Category
Release Date 2011/03/09
Update Number 1

ADRD appears in Android applications that have been pirated from official applications. Android applications are downloaded from the official Android Market, they are unpacked, the malicious ADRD code is inserted into the application, it is repackaged and then distributed on unofficial, 3rd party application repositories. As of now, ADRD is only known to exist in Chinese application repositories, but this threat could spread to other 3rd party sites relatively easily. Once the attackers have been able to trick a user into downloading the application to their SD card and installing, it will register itself to execute when one of the following conditions have been met: Twelve hours have passed since the OS started Network connectivity changed, The device receives a phone call ADRD then attempts to gather up the following information: 3gnet 3gwap APN cmnet cmwap Hardware information IMEI IMSI Network connectivity uninet uniwap Wifi Next, the Trojan encrypts the stolen information and attempts to send it to the following locations: [http://]adrd.taxuan.net/index[REMOVED] [http://]adrd.xiaxiab.com/pic.[REMOVED] After ADRD has sent the above mentioned information to the remote servers, it receives a series of instructions that tells the trojan to begin initiating the search engine manipulation activities by sending multiple HTTP requests to the following location: wap.baidu.com/s?word=[ENCODED SEARCH STRING]&vit=uni&from=[ID] The purpose of these search requests is to increase site rankings for a website. ADRD also has the ability to be updated remotely by downloading and installing new version of itself: sdcard/uc/myupdate.apk

A.ADRD.8

Name A.ADRD.8
Category
Release Date 2011/03/09
Update Number 1

ADRD appears in Android applications that have been pirated from official applications. Android applications are downloaded from the official Android Market, they are unpacked, the malicious ADRD code is inserted into the application, it is repackaged and then distributed on unofficial, 3rd party application repositories. As of now, ADRD is only known to exist in Chinese application repositories, but this threat could spread to other 3rd party sites relatively easily. Once the attackers have been able to trick a user into downloading the application to their SD card and installing, it will register itself to execute when one of the following conditions have been met: Twelve hours have passed since the OS started Network connectivity changed, The device receives a phone call ADRD then attempts to gather up the following information: 3gnet 3gwap APN cmnet cmwap Hardware information IMEI IMSI Network connectivity uninet uniwap Wifi Next, the Trojan encrypts the stolen information and attempts to send it to the following locations: [http://]adrd.taxuan.net/index[REMOVED] [http://]adrd.xiaxiab.com/pic.[REMOVED] After ADRD has sent the above mentioned information to the remote servers, it receives a series of instructions that tells the trojan to begin initiating the search engine manipulation activities by sending multiple HTTP requests to the following location: wap.baidu.com/s?word=[ENCODED SEARCH STRING]&vit=uni&from=[ID] The purpose of these search requests is to increase site rankings for a website. ADRD also has the ability to be updated remotely by downloading and installing new version of itself: sdcard/uc/myupdate.apk

A.ADRD.9

Name A.ADRD.9
Category
Release Date 2011/03/09
Update Number 1

ADRD appears in Android applications that have been pirated from official applications. Android applications are downloaded from the official Android Market, they are unpacked, the malicious ADRD code is inserted into the application, it is repackaged and then distributed on unofficial, 3rd party application repositories. As of now, ADRD is only known to exist in Chinese application repositories, but this threat could spread to other 3rd party sites relatively easily. Once the attackers have been able to trick a user into downloading the application to their SD card and installing, it will register itself to execute when one of the following conditions have been met: Twelve hours have passed since the OS started Network connectivity changed, The device receives a phone call ADRD then attempts to gather up the following information: 3gnet 3gwap APN cmnet cmwap Hardware information IMEI IMSI Network connectivity uninet uniwap Wifi Next, the Trojan encrypts the stolen information and attempts to send it to the following locations: [http://]adrd.taxuan.net/index[REMOVED] [http://]adrd.xiaxiab.com/pic.[REMOVED] After ADRD has sent the above mentioned information to the remote servers, it receives a series of instructions that tells the trojan to begin initiating the search engine manipulation activities by sending multiple HTTP requests to the following location: wap.baidu.com/s?word=[ENCODED SEARCH STRING]&vit=uni&from=[ID] The purpose of these search requests is to increase site rankings for a website. ADRD also has the ability to be updated remotely by downloading and installing new version of itself: sdcard/uc/myupdate.apk

A.Adrd.a1

Name A.Adrd.a1
Category
Release Date 2012/02/22
Update Number 50

ADRD appears in Android applications that have been pirated from official applications. Android applications are downloaded from the official Android Market, they are unpacked, the malicious ADRD code is inserted into the application, it is repackaged and then distributed on unofficial, 3rd party application repositories. As of now, ADRD is only known to exist in Chinese application repositories, but this threat could spread to other 3rd party sites relatively easily. Once the attackers have been able to trick a user into downloading the application to their SD card and installing, it will register itself to execute when one of the following conditions have been met: Twelve hours have passed since the OS started Network connectivity changed, The device receives a phone call ADRD then attempts to gather up the following information: 3gnet 3gwap APN cmnet cmwap Hardware information IMEI IMSI Network connectivity uninet uniwap Wifi Next, the Trojan encrypts the stolen information and attempts to send it to the following locations: [http://]adrd.taxuan.net/index[REMOVED] [http://]adrd.xiaxiab.com/pic.[REMOVED] After ADRD has sent the above mentioned information to the remote servers, it receives a series of instructions that tells the trojan to begin initiating the search engine manipulation activities by sending multiple HTTP requests to the following location: wap.baidu.com/s?word=[ENCODED SEARCH STRING]&vit=uni&from=[ID] The purpose of these search requests is to increase site rankings for a website. ADRD also has the ability to be updated remotely by downloading and installing new version of itself: sdcard/uc/myupdate.apk

A.Android FlexiSpy.a

Name A.Android FlexiSpy.a
Category
Release Date 2010/03/22
Update Number 1

trojan that records phone calls and SMS messages and sends them to a remote server. It is meant to be an actual application that is designed for this purpose. But it runs stealthily without an indication of its purpose and hence is classified as a trojan. FlexiSpy comes in several different packages with escalating feature sets that are supported.

A.Anserv.a

Name A.Anserv.a
Category
Release Date 2011/05/19
Update Number 1

Anserver is a series of malicious applications that target Android devices. Anserver infected applications introduce the ability to connect to a remote server that is controlled by the malware developer in order to download other malicious payloads to the device and installs them without the user's consent. Anserver has also been known to attempt to identify mobile security applications and attempts to kill them. Additionally, Anserver comes packaged in a legitimate, trojanized, host application in order to trick the user into installing. One installed, Anserver infected applications will install the malicious payload onto the device as "Touch Screen" and is installed by tricking the user into accepting a fake "upgrade" for the original host. One installed, Anserver will be triggered in a number of ways: - Connectivity Change - Power Connected - USB mass storage connected or disconnected - SMS message received - Input method changed - Boot completed - Device unlocked Upon successfully starting the malware, Anserver will phone home to check for new Command and Control (C&C) server addresses. If the connection is successful, Anserver will receive commands to update its C&C server database in plain-text XML. Finally, Anserver is capable of transmitting potentially sensitive device information (OS version, IMEI number, device manufacturer and device model) to its developers

A.AnserverBot

Name A.AnserverBot
Category
Release Date 2011/12/21
Update Number 43

Anserver is a series of malicious applications that target Android devices. Anserver infected applications introduce the ability to connect to a remote server that is controlled by the malware developer in order to download other malicious payloads to the device and installs them without the user's consent. Anserver has also been known to attempt to identify mobile security applications and attempts to kill them. Additionally, Anserver comes packaged in a legitimate, trojanized, host application in order to trick the user into installing. One installed, Anserver infected applications will install the malicious payload onto the device as "Touch Screen" and is installed by tricking the user into accepting a fake "upgrade" for the original host. One installed, Anserver will be triggered in a number of ways: - Connectivity Change - Power Connected - USB mass storage connected or disconnected - SMS message received - Input method changed - Boot completed - Device unlocked Upon successfully starting the malware, Anserver will phone home to check for new Command and Control (C&C) server addresses. If the connection is successful, Anserver will receive commands to update its C&C server database in plain-text XML. Finally, Anserver is capable of transmitting potentially sensitive device information (OS version, IMEI number, device manufacturer and device model) to its developers

A.AnserverBot.2

Name A.AnserverBot.2
Category
Release Date 2011/12/21
Update Number 43

Anserver is a series of malicious applications that target Android devices. Anserver infected applications introduce the ability to connect to a remote server that is controlled by the malware developer in order to download other malicious payloads to the device and installs them without the user's consent. Anserver has also been known to attempt to identify mobile security applications and attempts to kill them. Additionally, Anserver comes packaged in a legitimate, trojanized, host application in order to trick the user into installing. One installed, Anserver infected applications will install the malicious payload onto the device as "Touch Screen" and is installed by tricking the user into accepting a fake "upgrade" for the original host. One installed, Anserver will be triggered in a number of ways: - Connectivity Change - Power Connected - USB mass storage connected or disconnected - SMS message received - Input method changed - Boot completed - Device unlocked Upon successfully starting the malware, Anserver will phone home to check for new Command and Control (C&C) server addresses. If the connection is successful, Anserver will receive commands to update its C&C server database in plain-text XML. Finally, Anserver is capable of transmitting potentially sensitive device information (OS version, IMEI number, device manufacturer and device model) to its developers

A.AnserverBot.3

Name A.AnserverBot.3
Category
Release Date 2011/12/21
Update Number 43

Anserver is a series of malicious applications that target Android devices. Anserver infected applications introduce the ability to connect to a remote server that is controlled by the malware developer in order to download other malicious payloads to the device and installs them without the user's consent. Anserver has also been known to attempt to identify mobile security applications and attempts to kill them. Additionally, Anserver comes packaged in a legitimate, trojanized, host application in order to trick the user into installing. One installed, Anserver infected applications will install the malicious payload onto the device as "Touch Screen" and is installed by tricking the user into accepting a fake "upgrade" for the original host. One installed, Anserver will be triggered in a number of ways: - Connectivity Change - Power Connected - USB mass storage connected or disconnected - SMS message received - Input method changed - Boot completed - Device unlocked Upon successfully starting the malware, Anserver will phone home to check for new Command and Control (C&C) server addresses. If the connection is successful, Anserver will receive commands to update its C&C server database in plain-text XML. Finally, Anserver is capable of transmitting potentially sensitive device information (OS version, IMEI number, device manufacturer and device model) to its developers

A.BaseBridge.b

Name A.BaseBridge.b
Category
Release Date 2011/09/07
Update Number 7

BaseBridge comes in a series of pirated, trojanized, host applications that are designed to appear legitimate to an Android user. BaseBridge infected applications leverage the "udev" (BID 34536) vulnerability in Android 2.2 devices and below in order to obtain root privileges on an infected device. Once root privilege has been obtained, BaseBridge infected applications will drop its payload, which is "SMSApp.apk", which is stored in the application package in "/res/raw/anservb". Once successfully installed, "SMSApp.apk connects to a remote server of port 8080 in order to send device identifying information, such as: "Subscriber ID", "Manufacturer and Model", and "Android version". Secondarily, BaseBridge infected apps are configured to send a series of SMS messages to premium rate SMS numbers that will charge the user's mobile account per message. These funds are almost always unrecoverable. BaseBridge can also remove SMS messages from the mobile device's inbox, so as to reduce the chances of the user noticing the premium SMS messages being sent, and can dial phone numbers without the caller's consent.

A.BaseBridge.f

Name A.BaseBridge.f
Category
Release Date 2011/09/07
Update Number 7

BaseBridge comes in a series of pirated, trojanized, host applications that are designed to appear legitimate to an Android user. BaseBridge infected applications leverage the "udev" (BID 34536) vulnerability in Android 2.2 devices and below in order to obtain root privileges on an infected device. Once root privilege has been obtained, BaseBridge infected applications will drop its payload, which is "SMSApp.apk", which is stored in the application package in "/res/raw/anservb". Once successfully installed, "SMSApp.apk connects to a remote server of port 8080 in order to send device identifying information, such as: "Subscriber ID", "Manufacturer and Model", and "Android version". Secondarily, BaseBridge infected apps are configured to send a series of SMS messages to premium rate SMS numbers that will charge the user's mobile account per message. These funds are almost always unrecoverable. BaseBridge can also remove SMS messages from the mobile device's inbox, so as to reduce the chances of the user noticing the premium SMS messages being sent, and can dial phone numbers without the caller's consent.

A.Basebrid.1

Name A.Basebrid.1
Category
Release Date 2011/12/21
Update Number 43

BaseBridge comes in a series of pirated, trojanized, host applications that are designed to appear legitimate to an Android user. BaseBridge infected applications leverage the "udev" (BID 34536) vulnerability in Android 2.2 devices and below in order to obtain root privileges on an infected device. Once root privilege has been obtained, BaseBridge infected applications will drop its payload, which is "SMSApp.apk", which is stored in the application package in "/res/raw/anservb". Once successfully installed, "SMSApp.apk connects to a remote server of port 8080 in order to send device identifying information, such as: "Subscriber ID", "Manufacturer and Model", and "Android version". Secondarily, BaseBridge infected apps are configured to send a series of SMS messages to premium rate SMS numbers that will charge the user's mobile account per message. These funds are almost always unrecoverable. BaseBridge can also remove SMS messages from the mobile device's inbox, so as to reduce the chances of the user noticing the premium SMS messages being sent, and can dial phone numbers without the caller's consent.

A.BlitzF.a

Name A.BlitzF.a
Category
Release Date 2010/08/16
Update Number 1

"com.blitzforce.massada" represents the package name of what appears to be proof of concept (POC) malware from the Blitz Force Massada group of the University of Electronic Science and Technology of China that targeted Android devices. As POC, com.blitzforce.massada does not appear to have been created to cause damage, only to show capabilities of potential malware. Com.blitzforce.massada leverages multiple attacks to illustrate the ability to: - Accept incoming calls without user intervention - Causes phone to end calls without user intervention - Turns off the device radio to prevent any incoming/outgoing calls - Gather sensitive device information to send to remote servers

A.DDLight.a

Name A.DDLight.a
Category
Release Date 2011/09/07
Update Number 7

DroidDream Light is a variant of its predecessor DroidDream that hit the official Android Market. Like it's predecessor, DroidDream Light appears in pirated, trojanized, Android applications. Analysis indicates that the malicious nature of these pirated, trojanized applications becomes active upon receipt of an incoming call. Once initiated, DroidDream Light will gather up the following information to be sent to a remote server: - IMEI Number - Phone Number - Device Model - Android Version DroidDream Light malware infected applications also contain the ability to download additional packages from a remote server for installation. Unlike its predecessor, DroidDream, DroidDream Light does not have the ability to install these additional applications in the background, so the user will be prompted for installation.

A.DrdDream.a

Name A.DrdDream.a
Category
Release Date 2011/03/09
Update Number 1

DroidDream was the first complex Trojan for Android to appear in the Android Market. DroidDream arrived in a series of pirated, trojanized applications whereby the malware developer stuffed malicious code into legitimate applications and released them alongside the legitimate apps. DroidDream leveraged the 'rageagainstthecage' root exploit in order to gain root privileges on infected devices. Once rooted, DroidDream infected applications contained an additional payload inside of the package that is installed silently, in the background, without the user's knowledge. This additional package allows the trojan to capture the devices: - Product ID - Model - Service Provider - Device Language - UserID configured on the device This information is then transmitted to a remote server DroidDream then went further by embedding the ability for the trojan to download and install additional applications in the background, at will. This capability could further extend the malware's abilities, all without the user's knowledge.

A.DroidDream

Name A.DroidDream
Category
Release Date 2012/01/27
Update Number 47

DroidDream was the first complex Trojan for Android to appear in the Android Market. DroidDream arrived in a series of pirated, trojanized applications whereby the malware developer stuffed malicious code into legitimate applications and released them alongside the legitimate apps. DroidDream leveraged the 'rageagainstthecage' root exploit in order to gain root privileges on infected devices. Once rooted, DroidDream infected applications contained an additional payload inside of the package that is installed silently, in the background, without the user's knowledge. This additional package allows the trojan to capture the devices: - Product ID - Model - Service Provider - Device Language - UserID configured on the device This information is then transmitted to a remote server DroidDream then went further by embedding the ability for the trojan to download and install additional applications in the background, at will. This capability could further extend the malware's abilities, all without the user's knowledge.

A.DroidDream.2

Name A.DroidDream.2
Category
Release Date 2012/01/27
Update Number 47

DroidDream was the first complex Trojan for Android to appear in the Android Market. DroidDream arrived in a series of pirated, trojanized applications whereby the malware developer stuffed malicious code into legitimate applications and released them alongside the legitimate apps. DroidDream leveraged the 'rageagainstthecage' root exploit in order to gain root privileges on infected devices. Once rooted, DroidDream infected applications contained an additional payload inside of the package that is installed silently, in the background, without the user's knowledge. This additional package allows the trojan to capture the devices: - Product ID - Model - Service Provider - Device Language - UserID configured on the device This information is then transmitted to a remote server DroidDream then went further by embedding the ability for the trojan to download and install additional applications in the background, at will. This capability could further extend the malware's abilities, all without the user's knowledge.

A.DroidDream.3

Name A.DroidDream.3
Category
Release Date 2012/01/27
Update Number 47

DroidDream was the first complex Trojan for Android to appear in the Android Market. DroidDream arrived in a series of pirated, trojanized applications whereby the malware developer stuffed malicious code into legitimate applications and released them alongside the legitimate apps. DroidDream leveraged the 'rageagainstthecage' root exploit in order to gain root privileges on infected devices. Once rooted, DroidDream infected applications contained an additional payload inside of the package that is installed silently, in the background, without the user's knowledge. This additional package allows the trojan to capture the devices: - Product ID - Model - Service Provider - Device Language - UserID configured on the device This information is then transmitted to a remote server DroidDream then went further by embedding the ability for the trojan to download and install additional applications in the background, at will. This capability could further extend the malware's abilities, all without the user's knowledge.

A.DroidDream.n

Name A.DroidDream.n
Category
Release Date 2012/01/27
Update Number 47

DroidDream was the first complex Trojan for Android to appear in the Android Market. DroidDream arrived in a series of pirated, trojanized applications whereby the malware developer stuffed malicious code into legitimate applications and released them alongside the legitimate apps. DroidDream leveraged the 'rageagainstthecage' root exploit in order to gain root privileges on infected devices. Once rooted, DroidDream infected applications contained an additional payload inside of the package that is installed silently, in the background, without the user's knowledge. This additional package allows the trojan to capture the devices: - Product ID - Model - Service Provider - Device Language - UserID configured on the device This information is then transmitted to a remote server DroidDream then went further by embedding the ability for the trojan to download and install additional applications in the background, at will. This capability could further extend the malware's abilities, all without the user's knowledge.

A.EicarAndr

Name A.EicarAndr
Category
Release Date 2011/11/01
Update Number 37

EICAR ANTI-VIRUS TEST APPLICATION THIS APP IS NOT HARMFUL. IT WILL NOT HARM YOUR DEVICE IN ANY WAY. This app simply displays a message similar to this one and nothing more. It requires no permissions on installation. It does not read your data, access the internet, or create any files. It does not run in the background, start automatically, or do anything at all other than display a message. It does, however, contain some text, created by the European Institute for Computer Antivirus Research (EICAR), which is designed to be safely detected by all anti-virus products as a virus, so that people can test their anti-virus applications to see if they're working correctly, without having to actually infect their devices with a real virus or other malware. To make it absolutely clear - this app is completely harmless, but should be detected as a virus. This is its entire purpose. If you run an anti-virus app on your phone, it should detect this app as a virus when you install it. For further details please search for "EICAR test file" on Wikipedia or visit EICAR's website itself at eicar.org.

A.FakePlayer.gen

Name A.FakePlayer.gen
Category
Release Date 2010/09/14
Update Number 1

“Fake Player” is the first SMS Trojan application known to affect Android devices. This application arrives on the handset in the form of an APK (Android Package) named “ru.apk”, it exists in the device’s application list as “org.me.androidapplication1″ and appears in the application drawer as “Movie Player”. Analysis indicates that “Fake Player” is rather rudimentary in that the developer created a simple “Hello, World” application and modified the code to include very basic SMS functionality by requesting the “SMS_SEND” permission. As an SMS Trojan, once installed, “Fake Player” will send SMS messages with “798657″ in the message body to the premium SMS number “3353″ that charges the user’s mobile account for each message sent. Once that message has been sent, the Trojan will send the same message to short code “3354″, then send a 3rd message to “3353″. Analysis indicates that “Fake Player” was only distributed through 3rd party channels and never existed in any of the locality Android Markets. Additionally, it is not believed that “Fake Player” would function properly outside of Russian carrier networks as the short codes that were configured exist inside Russian networks and would not be reachable by carrier networks outside of Russia. Additionally, “Fake Player” is unable to self-propagate, requiring that the device’s user must initiate the necessary actions to install the application and must confirm that he/she approves of the permissions being requested.

A.FakeTr.a

Name A.FakeTr.a
Category
Release Date 2011/09/07
Update Number 7

Fake Trusteer encourages users to enter unnecessary key on the “bank website” to use smartphone banking. Info leak.

A.Flexispy.gen

Name A.Flexispy.gen
Category
Release Date 2012/02/22
Update Number 50

FlexiSpy is commercial spyware that affects most major mobile platforms. Flexispy records phone calls and SMS messages and sends them to a remote server. It is meant to be an actual application that is designed for this purpose. But it runs stealthily without an indication of its purpose and hence is classified as a trojan. FlexiSpy comes in several different packages with escalating feature sets that are supported. The full feature set is as follows: Remote Listening Control Phone By SMS SMS and Email Logging Call History Logging Location Tracking Call Interception GPS Tracking Shield Black List White List Web Support Secure Login View Report Advanced Searches Download Report Special Features SIM Change Notification GPRS Capability Required Listen to Recorded Conversation

A.Foncy.a

Name A.Foncy.a
Category
Release Date 2012/01/27
Update Number 47

Foncy is s SMS trojan application that has been repackaged into legitimate apps. It uses a particular method that allows it to retrieve the device's country code in order to send premium rate SMS messages specific numbers within the appropriate country. Foncy is only known to affect European countries and users at this time.

A.GGTracker

Name A.GGTracker
Category
Release Date 2011/09/07
Update Number 7

GGTracker is a Trojan horse for Android devices that sends SMS messages to a premium-rate numbers as well as collects sensitive device information. When the Trojan is executed, it sends the phone number of the compromised device so that the controlling server can send SMS messages to the device. Next, the Trojan monitors received SMS messages and intercepts SMS messages from the following numbers: 00033335 00036397 33335 36397 46621 55991 55999 56255 96512 99735 It also responds to SMS messages from 41001 by sending the following SMS message: YES The Trojan may collect the following information: - Device phone number - Name of the network operator - Sender and body of intercepted SMS messages - Sender and body of SMS messages in the Inbox - Version of the Android operating system The gathered information is then sent to the following location: http://www.amaz0n-cloud.com/droid/droid.php

A.GGTracker.b

Name A.GGTracker.b
Category
Release Date 2011/09/07
Update Number 7

GGTracker is a Trojan horse for Android devices that sends SMS messages to a premium-rate numbers as well as collects sensitive device information. When the Trojan is executed, it sends the phone number of the compromised device so that the controlling server can send SMS messages to the device. Next, the Trojan monitors received SMS messages and intercepts SMS messages from the following numbers: 00033335 00036397 33335 36397 46621 55991 55999 56255 96512 99735 It also responds to SMS messages from 41001 by sending the following SMS message: YES The Trojan may collect the following information: - Device phone number - Name of the network operator - Sender and body of intercepted SMS messages - Sender and body of SMS messages in the Inbox - Version of the Android operating system The gathered information is then sent to the following location: http://www.amaz0n-cloud.com/droid/droid.php

A.Geimini.25

Name A.Geimini.25
Category
Release Date 2011/03/29
Update Number 1

Geinimi is an Android Trojan that has the ability to harvest and transmit personal and device identifying information to remote servers. Being the most sophisticated Android malware to date, Geinimi also introduces botnet capabilities with clear indications that command and control (C&C) functionality could be a part of the Geinimi code base. To date, no evidence of the actual C&C communication has been identified, but the channels are clearly evident during analysis. Geinimi has the following capabilities: - Monitor and Send SMS messages - Delete selected SMS messages - Monitor and send location data - Harvest and send device identifying data (IMEI/IMSI) - Downloads and prompts user to install 3rd party application - Enumerates and transmits list of applications installed on the infected device - Place phone call - Silently download files - Launches browser with pre-defined URL Up to this point, Geinimi infected applications have only appeared in 3rd party application repositories in China and can only be installed by “side loading” the infected applications. Geinimi HAS NOT appeared in the official Android Market. In fact, Geinimi appears to be a number of authentic applications that were pirated from the Android Market, dissasembled, had the Geinimi code packed into the applications and re-assembled. In addition to the sophisticated features of Geinimi infected application, Geinimi also goes to great lengths to attempt to obfuscate and encrypt the malicious behavior in both the Geinimi code and in the communication that occurs. In order to hinder analysis attempts, Geinimi authors encrypted particular strings of the code, using a weak DES cypher. Fortunately, the weak key of “12345678″ was easily identified in the code, allowing for important strings to be decrypted for analysis. The communications between Geinimi infected devices and their controlling servers are also encrypted with the same DES cypher and key as the encrypted strings used. In this scenario, Geinimi attempts to encrypt what would otherwise be clear text HTTP requests to make the traffic appear less conspicuous. The following URL’s have been identified withing Geinimi code as URL’s of interest over port 8080: www.widifu.com www.udaore.com www.frijd.com www.piajesj.com www.qoewsl.com www.weolir.com www.uisoa.com www.riusdu.com www.aiucr.com 117.135.134.185 Initial analysis of Geinimi indicates that there were a handful of applications affected. The Juniper GTC has identifed at least 24 different applications that are infected with Geinimi. The following Android packages are known to be infected by Geinimi code: com.moonage.iTraining – Detected as A.Geinimi.01 com.sgg.sp – Detected as A.Geinimi.02 com.bitlogik.uconnect – Detected as A.Geinimi.03 com.ubermind.ilightr – Detected as A.Geinimi.04 com.outfit7.talkinghippo – Detected as A.Geinimi.05 com.littlekillerz.legendsarcana – Detected as A.Geinimi.07 com.xlabtech.MonsterTruckRally – Detected as A.Geimimi.08 cmp.LocalService – Detected as A.Geinimi.09 jp.co.kaku.spi.fs1006.Paid – Detected as A.Geinimi.10 com.xlabtech.HardcoreDirtBike – Detected as A.Geinimi.11 cmp.netsentry – Detected as A.Geinimi.12 com.dseffects.MonkeyJump2 – Detected as A.Geinimi.13 com.wuzla.game.ScooterHero_Paid – Detected as A.Geinimi.14 com.masshabit.squibble.free – Detected as A.Geinimi.15 signcomsexgirl1.mm – Detected as A.Geinimi.16 redrabbit.CityDefense – Detected as A.Geinimi.17 com.gamevil.bs2010 – Detected as A.Geinimi.18 com.computertimeco.android.alienspresident – Detected as A.Geinimi.19 com.apostek.SlotMachine.paid – Detected as A.Geinimi.20 sex.sexy – Detected as A.Geinimi.21 com.swampy.sexpos – Detected as A.Geinimi.22 com.ericlie.cg5 – Detected as A.Geinimi.23 chaire1.mm – Detected as A.Geinimi.24 As previously mentioned, Geinimi infected applications were not found to have been accessible from the official Android Market. As with all Android application, users must physically install Geinimi infected applications and approve the permissions that are being requested. Android users are encouraged to be especially mindful of the context of each and every application when considering the permissions it is requesting. This is especially true when “side loading” Android applications from 3rd party application repositories.

A.Geimini.26

Name A.Geimini.26
Category
Release Date 2011/03/29
Update Number 1

Geinimi is an Android Trojan that has the ability to harvest and transmit personal and device identifying information to remote servers. Being the most sophisticated Android malware to date, Geinimi also introduces botnet capabilities with clear indications that command and control (C&C) functionality could be a part of the Geinimi code base. To date, no evidence of the actual C&C communication has been identified, but the channels are clearly evident during analysis. Geinimi has the following capabilities: - Monitor and Send SMS messages - Delete selected SMS messages - Monitor and send location data - Harvest and send device identifying data (IMEI/IMSI) - Downloads and prompts user to install 3rd party application - Enumerates and transmits list of applications installed on the infected device - Place phone call - Silently download files - Launches browser with pre-defined URL Up to this point, Geinimi infected applications have only appeared in 3rd party application repositories in China and can only be installed by “side loading” the infected applications. Geinimi HAS NOT appeared in the official Android Market. In fact, Geinimi appears to be a number of authentic applications that were pirated from the Android Market, dissasembled, had the Geinimi code packed into the applications and re-assembled. In addition to the sophisticated features of Geinimi infected application, Geinimi also goes to great lengths to attempt to obfuscate and encrypt the malicious behavior in both the Geinimi code and in the communication that occurs. In order to hinder analysis attempts, Geinimi authors encrypted particular strings of the code, using a weak DES cypher. Fortunately, the weak key of “12345678″ was easily identified in the code, allowing for important strings to be decrypted for analysis. The communications between Geinimi infected devices and their controlling servers are also encrypted with the same DES cypher and key as the encrypted strings used. In this scenario, Geinimi attempts to encrypt what would otherwise be clear text HTTP requests to make the traffic appear less conspicuous. The following URL’s have been identified withing Geinimi code as URL’s of interest over port 8080: www.widifu.com www.udaore.com www.frijd.com www.piajesj.com www.qoewsl.com www.weolir.com www.uisoa.com www.riusdu.com www.aiucr.com 117.135.134.185 Initial analysis of Geinimi indicates that there were a handful of applications affected. The Juniper GTC has identifed at least 24 different applications that are infected with Geinimi. The following Android packages are known to be infected by Geinimi code: com.moonage.iTraining – Detected as A.Geinimi.01 com.sgg.sp – Detected as A.Geinimi.02 com.bitlogik.uconnect – Detected as A.Geinimi.03 com.ubermind.ilightr – Detected as A.Geinimi.04 com.outfit7.talkinghippo – Detected as A.Geinimi.05 com.littlekillerz.legendsarcana – Detected as A.Geinimi.07 com.xlabtech.MonsterTruckRally – Detected as A.Geimimi.08 cmp.LocalService – Detected as A.Geinimi.09 jp.co.kaku.spi.fs1006.Paid – Detected as A.Geinimi.10 com.xlabtech.HardcoreDirtBike – Detected as A.Geinimi.11 cmp.netsentry – Detected as A.Geinimi.12 com.dseffects.MonkeyJump2 – Detected as A.Geinimi.13 com.wuzla.game.ScooterHero_Paid – Detected as A.Geinimi.14 com.masshabit.squibble.free – Detected as A.Geinimi.15 signcomsexgirl1.mm – Detected as A.Geinimi.16 redrabbit.CityDefense – Detected as A.Geinimi.17 com.gamevil.bs2010 – Detected as A.Geinimi.18 com.computertimeco.android.alienspresident – Detected as A.Geinimi.19 com.apostek.SlotMachine.paid – Detected as A.Geinimi.20 sex.sexy – Detected as A.Geinimi.21 com.swampy.sexpos – Detected as A.Geinimi.22 com.ericlie.cg5 – Detected as A.Geinimi.23 chaire1.mm – Detected as A.Geinimi.24 As previously mentioned, Geinimi infected applications were not found to have been accessible from the official Android Market. As with all Android application, users must physically install Geinimi infected applications and approve the permissions that are being requested. Android users are encouraged to be especially mindful of the context of each and every application when considering the permissions it is requesting. This is especially true when “side loading” Android applications from 3rd party application repositories.

A.Geimini.27

Name A.Geimini.27
Category
Release Date 2011/03/29
Update Number 1

Geinimi is an Android Trojan that has the ability to harvest and transmit personal and device identifying information to remote servers. Being the most sophisticated Android malware to date, Geinimi also introduces botnet capabilities with clear indications that command and control (C&C) functionality could be a part of the Geinimi code base. To date, no evidence of the actual C&C communication has been identified, but the channels are clearly evident during analysis. Geinimi has the following capabilities: - Monitor and Send SMS messages - Delete selected SMS messages - Monitor and send location data - Harvest and send device identifying data (IMEI/IMSI) - Downloads and prompts user to install 3rd party application - Enumerates and transmits list of applications installed on the infected device - Place phone call - Silently download files - Launches browser with pre-defined URL Up to this point, Geinimi infected applications have only appeared in 3rd party application repositories in China and can only be installed by “side loading” the infected applications. Geinimi HAS NOT appeared in the official Android Market. In fact, Geinimi appears to be a number of authentic applications that were pirated from the Android Market, dissasembled, had the Geinimi code packed into the applications and re-assembled. In addition to the sophisticated features of Geinimi infected application, Geinimi also goes to great lengths to attempt to obfuscate and encrypt the malicious behavior in both the Geinimi code and in the communication that occurs. In order to hinder analysis attempts, Geinimi authors encrypted particular strings of the code, using a weak DES cypher. Fortunately, the weak key of “12345678″ was easily identified in the code, allowing for important strings to be decrypted for analysis. The communications between Geinimi infected devices and their controlling servers are also encrypted with the same DES cypher and key as the encrypted strings used. In this scenario, Geinimi attempts to encrypt what would otherwise be clear text HTTP requests to make the traffic appear less conspicuous. The following URL’s have been identified withing Geinimi code as URL’s of interest over port 8080: www.widifu.com www.udaore.com www.frijd.com www.piajesj.com www.qoewsl.com www.weolir.com www.uisoa.com www.riusdu.com www.aiucr.com 117.135.134.185 Initial analysis of Geinimi indicates that there were a handful of applications affected. The Juniper GTC has identifed at least 24 different applications that are infected with Geinimi. The following Android packages are known to be infected by Geinimi code: com.moonage.iTraining – Detected as A.Geinimi.01 com.sgg.sp – Detected as A.Geinimi.02 com.bitlogik.uconnect – Detected as A.Geinimi.03 com.ubermind.ilightr – Detected as A.Geinimi.04 com.outfit7.talkinghippo – Detected as A.Geinimi.05 com.littlekillerz.legendsarcana – Detected as A.Geinimi.07 com.xlabtech.MonsterTruckRally – Detected as A.Geimimi.08 cmp.LocalService – Detected as A.Geinimi.09 jp.co.kaku.spi.fs1006.Paid – Detected as A.Geinimi.10 com.xlabtech.HardcoreDirtBike – Detected as A.Geinimi.11 cmp.netsentry – Detected as A.Geinimi.12 com.dseffects.MonkeyJump2 – Detected as A.Geinimi.13 com.wuzla.game.ScooterHero_Paid – Detected as A.Geinimi.14 com.masshabit.squibble.free – Detected as A.Geinimi.15 signcomsexgirl1.mm – Detected as A.Geinimi.16 redrabbit.CityDefense – Detected as A.Geinimi.17 com.gamevil.bs2010 – Detected as A.Geinimi.18 com.computertimeco.android.alienspresident – Detected as A.Geinimi.19 com.apostek.SlotMachine.paid – Detected as A.Geinimi.20 sex.sexy – Detected as A.Geinimi.21 com.swampy.sexpos – Detected as A.Geinimi.22 com.ericlie.cg5 – Detected as A.Geinimi.23 chaire1.mm – Detected as A.Geinimi.24 As previously mentioned, Geinimi infected applications were not found to have been accessible from the official Android Market. As with all Android application, users must physically install Geinimi infected applications and approve the permissions that are being requested. Android users are encouraged to be especially mindful of the context of each and every application when considering the permissions it is requesting. This is especially true when “side loading” Android applications from 3rd party application repositories.

A.Geimini.28

Name A.Geimini.28
Category
Release Date 2011/03/29
Update Number 1

Geinimi is an Android Trojan that has the ability to harvest and transmit personal and device identifying information to remote servers. Being the most sophisticated Android malware to date, Geinimi also introduces botnet capabilities with clear indications that command and control (C&C) functionality could be a part of the Geinimi code base. To date, no evidence of the actual C&C communication has been identified, but the channels are clearly evident during analysis. Geinimi has the following capabilities: - Monitor and Send SMS messages - Delete selected SMS messages - Monitor and send location data - Harvest and send device identifying data (IMEI/IMSI) - Downloads and prompts user to install 3rd party application - Enumerates and transmits list of applications installed on the infected device - Place phone call - Silently download files - Launches browser with pre-defined URL Up to this point, Geinimi infected applications have only appeared in 3rd party application repositories in China and can only be installed by “side loading” the infected applications. Geinimi HAS NOT appeared in the official Android Market. In fact, Geinimi appears to be a number of authentic applications that were pirated from the Android Market, dissasembled, had the Geinimi code packed into the applications and re-assembled. In addition to the sophisticated features of Geinimi infected application, Geinimi also goes to great lengths to attempt to obfuscate and encrypt the malicious behavior in both the Geinimi code and in the communication that occurs. In order to hinder analysis attempts, Geinimi authors encrypted particular strings of the code, using a weak DES cypher. Fortunately, the weak key of “12345678″ was easily identified in the code, allowing for important strings to be decrypted for analysis. The communications between Geinimi infected devices and their controlling servers are also encrypted with the same DES cypher and key as the encrypted strings used. In this scenario, Geinimi attempts to encrypt what would otherwise be clear text HTTP requests to make the traffic appear less conspicuous. The following URL’s have been identified withing Geinimi code as URL’s of interest over port 8080: www.widifu.com www.udaore.com www.frijd.com www.piajesj.com www.qoewsl.com www.weolir.com www.uisoa.com www.riusdu.com www.aiucr.com 117.135.134.185 Initial analysis of Geinimi indicates that there were a handful of applications affected. The Juniper GTC has identifed at least 24 different applications that are infected with Geinimi. The following Android packages are known to be infected by Geinimi code: com.moonage.iTraining – Detected as A.Geinimi.01 com.sgg.sp – Detected as A.Geinimi.02 com.bitlogik.uconnect – Detected as A.Geinimi.03 com.ubermind.ilightr – Detected as A.Geinimi.04 com.outfit7.talkinghippo – Detected as A.Geinimi.05 com.littlekillerz.legendsarcana – Detected as A.Geinimi.07 com.xlabtech.MonsterTruckRally – Detected as A.Geimimi.08 cmp.LocalService – Detected as A.Geinimi.09 jp.co.kaku.spi.fs1006.Paid – Detected as A.Geinimi.10 com.xlabtech.HardcoreDirtBike – Detected as A.Geinimi.11 cmp.netsentry – Detected as A.Geinimi.12 com.dseffects.MonkeyJump2 – Detected as A.Geinimi.13 com.wuzla.game.ScooterHero_Paid – Detected as A.Geinimi.14 com.masshabit.squibble.free – Detected as A.Geinimi.15 signcomsexgirl1.mm – Detected as A.Geinimi.16 redrabbit.CityDefense – Detected as A.Geinimi.17 com.gamevil.bs2010 – Detected as A.Geinimi.18 com.computertimeco.android.alienspresident – Detected as A.Geinimi.19 com.apostek.SlotMachine.paid – Detected as A.Geinimi.20 sex.sexy – Detected as A.Geinimi.21 com.swampy.sexpos – Detected as A.Geinimi.22 com.ericlie.cg5 – Detected as A.Geinimi.23 chaire1.mm – Detected as A.Geinimi.24 As previously mentioned, Geinimi infected applications were not found to have been accessible from the official Android Market. As with all Android application, users must physically install Geinimi infected applications and approve the permissions that are being requested. Android users are encouraged to be especially mindful of the context of each and every application when considering the permissions it is requesting. This is especially true when “side loading” Android applications from 3rd party application repositories.

A.Geinimi.01

Name A.Geinimi.01
Category
Release Date 2011/01/11
Update Number 1

Geinimi is an Android Trojan that has the ability to harvest and transmit personal and device identifying information to remote servers. Being the most sophisticated Android malware to date, Geinimi also introduces botnet capabilities with clear indications that command and control (C&C) functionality could be a part of the Geinimi code base. To date, no evidence of the actual C&C communication has been identified, but the channels are clearly evident during analysis. Geinimi has the following capabilities: - Monitor and Send SMS messages - Delete selected SMS messages - Monitor and send location data - Harvest and send device identifying data (IMEI/IMSI) - Downloads and prompts user to install 3rd party application - Enumerates and transmits list of applications installed on the infected device - Place phone call - Silently download files - Launches browser with pre-defined URL Up to this point, Geinimi infected applications have only appeared in 3rd party application repositories in China and can only be installed by “side loading” the infected applications. Geinimi HAS NOT appeared in the official Android Market. In fact, Geinimi appears to be a number of authentic applications that were pirated from the Android Market, dissasembled, had the Geinimi code packed into the applications and re-assembled. In addition to the sophisticated features of Geinimi infected application, Geinimi also goes to great lengths to attempt to obfuscate and encrypt the malicious behavior in both the Geinimi code and in the communication that occurs. In order to hinder analysis attempts, Geinimi authors encrypted particular strings of the code, using a weak DES cypher. Fortunately, the weak key of “12345678″ was easily identified in the code, allowing for important strings to be decrypted for analysis. The communications between Geinimi infected devices and their controlling servers are also encrypted with the same DES cypher and key as the encrypted strings used. In this scenario, Geinimi attempts to encrypt what would otherwise be clear text HTTP requests to make the traffic appear less conspicuous. The following URL’s have been identified withing Geinimi code as URL’s of interest over port 8080: www.widifu.com www.udaore.com www.frijd.com www.piajesj.com www.qoewsl.com www.weolir.com www.uisoa.com www.riusdu.com www.aiucr.com 117.135.134.185 Initial analysis of Geinimi indicates that there were a handful of applications affected. The Juniper GTC has identifed at least 24 different applications that are infected with Geinimi. The following Android packages are known to be infected by Geinimi code: com.moonage.iTraining – Detected as A.Geinimi.01 com.sgg.sp – Detected as A.Geinimi.02 com.bitlogik.uconnect – Detected as A.Geinimi.03 com.ubermind.ilightr – Detected as A.Geinimi.04 com.outfit7.talkinghippo – Detected as A.Geinimi.05 com.littlekillerz.legendsarcana – Detected as A.Geinimi.07 com.xlabtech.MonsterTruckRally – Detected as A.Geimimi.08 cmp.LocalService – Detected as A.Geinimi.09 jp.co.kaku.spi.fs1006.Paid – Detected as A.Geinimi.10 com.xlabtech.HardcoreDirtBike – Detected as A.Geinimi.11 cmp.netsentry – Detected as A.Geinimi.12 com.dseffects.MonkeyJump2 – Detected as A.Geinimi.13 com.wuzla.game.ScooterHero_Paid – Detected as A.Geinimi.14 com.masshabit.squibble.free – Detected as A.Geinimi.15 signcomsexgirl1.mm – Detected as A.Geinimi.16 redrabbit.CityDefense – Detected as A.Geinimi.17 com.gamevil.bs2010 – Detected as A.Geinimi.18 com.computertimeco.android.alienspresident – Detected as A.Geinimi.19 com.apostek.SlotMachine.paid – Detected as A.Geinimi.20 sex.sexy – Detected as A.Geinimi.21 com.swampy.sexpos – Detected as A.Geinimi.22 com.ericlie.cg5 – Detected as A.Geinimi.23 chaire1.mm – Detected as A.Geinimi.24 As previously mentioned, Geinimi infected applications were not found to have been accessible from the official Android Market. As with all Android application, users must physically install Geinimi infected applications and approve the permissions that are being requested. Android users are encouraged to be especially mindful of the context of each and every application when considering the permissions it is requesting. This is especially true when “side loading” Android applications from 3rd party application repositories.

A.Geinimi.02

Name A.Geinimi.02
Category
Release Date 2011/01/11
Update Number 1

Geinimi is an Android Trojan that has the ability to harvest and transmit personal and device identifying information to remote servers. Being the most sophisticated Android malware to date, Geinimi also introduces botnet capabilities with clear indications that command and control (C&C) functionality could be a part of the Geinimi code base. To date, no evidence of the actual C&C communication has been identified, but the channels are clearly evident during analysis. Geinimi has the following capabilities: - Monitor and Send SMS messages - Delete selected SMS messages - Monitor and send location data - Harvest and send device identifying data (IMEI/IMSI) - Downloads and prompts user to install 3rd party application - Enumerates and transmits list of applications installed on the infected device - Place phone call - Silently download files - Launches browser with pre-defined URL Up to this point, Geinimi infected applications have only appeared in 3rd party application repositories in China and can only be installed by “side loading” the infected applications. Geinimi HAS NOT appeared in the official Android Market. In fact, Geinimi appears to be a number of authentic applications that were pirated from the Android Market, dissasembled, had the Geinimi code packed into the applications and re-assembled. In addition to the sophisticated features of Geinimi infected application, Geinimi also goes to great lengths to attempt to obfuscate and encrypt the malicious behavior in both the Geinimi code and in the communication that occurs. In order to hinder analysis attempts, Geinimi authors encrypted particular strings of the code, using a weak DES cypher. Fortunately, the weak key of “12345678″ was easily identified in the code, allowing for important strings to be decrypted for analysis. The communications between Geinimi infected devices and their controlling servers are also encrypted with the same DES cypher and key as the encrypted strings used. In this scenario, Geinimi attempts to encrypt what would otherwise be clear text HTTP requests to make the traffic appear less conspicuous. The following URL’s have been identified withing Geinimi code as URL’s of interest over port 8080: www.widifu.com www.udaore.com www.frijd.com www.piajesj.com www.qoewsl.com www.weolir.com www.uisoa.com www.riusdu.com www.aiucr.com 117.135.134.185 Initial analysis of Geinimi indicates that there were a handful of applications affected. The Juniper GTC has identifed at least 24 different applications that are infected with Geinimi. The following Android packages are known to be infected by Geinimi code: com.moonage.iTraining – Detected as A.Geinimi.01 com.sgg.sp – Detected as A.Geinimi.02 com.bitlogik.uconnect – Detected as A.Geinimi.03 com.ubermind.ilightr – Detected as A.Geinimi.04 com.outfit7.talkinghippo – Detected as A.Geinimi.05 com.littlekillerz.legendsarcana – Detected as A.Geinimi.07 com.xlabtech.MonsterTruckRally – Detected as A.Geimimi.08 cmp.LocalService – Detected as A.Geinimi.09 jp.co.kaku.spi.fs1006.Paid – Detected as A.Geinimi.10 com.xlabtech.HardcoreDirtBike – Detected as A.Geinimi.11 cmp.netsentry – Detected as A.Geinimi.12 com.dseffects.MonkeyJump2 – Detected as A.Geinimi.13 com.wuzla.game.ScooterHero_Paid – Detected as A.Geinimi.14 com.masshabit.squibble.free – Detected as A.Geinimi.15 signcomsexgirl1.mm – Detected as A.Geinimi.16 redrabbit.CityDefense – Detected as A.Geinimi.17 com.gamevil.bs2010 – Detected as A.Geinimi.18 com.computertimeco.android.alienspresident – Detected as A.Geinimi.19 com.apostek.SlotMachine.paid – Detected as A.Geinimi.20 sex.sexy – Detected as A.Geinimi.21 com.swampy.sexpos – Detected as A.Geinimi.22 com.ericlie.cg5 – Detected as A.Geinimi.23 chaire1.mm – Detected as A.Geinimi.24 As previously mentioned, Geinimi infected applications were not found to have been accessible from the official Android Market. As with all Android application, users must physically install Geinimi infected applications and approve the permissions that are being requested. Android users are encouraged to be especially mindful of the context of each and every application when considering the permissions it is requesting. This is especially true when “side loading” Android applications from 3rd party application repositories.

A.Geinimi.03

Name A.Geinimi.03
Category
Release Date 2011/01/11
Update Number 1

Geinimi is an Android Trojan that has the ability to harvest and transmit personal and device identifying information to remote servers. Being the most sophisticated Android malware to date, Geinimi also introduces botnet capabilities with clear indications that command and control (C&C) functionality could be a part of the Geinimi code base. To date, no evidence of the actual C&C communication has been identified, but the channels are clearly evident during analysis. Geinimi has the following capabilities: - Monitor and Send SMS messages - Delete selected SMS messages - Monitor and send location data - Harvest and send device identifying data (IMEI/IMSI) - Downloads and prompts user to install 3rd party application - Enumerates and transmits list of applications installed on the infected device - Place phone call - Silently download files - Launches browser with pre-defined URL Up to this point, Geinimi infected applications have only appeared in 3rd party application repositories in China and can only be installed by “side loading” the infected applications. Geinimi HAS NOT appeared in the official Android Market. In fact, Geinimi appears to be a number of authentic applications that were pirated from the Android Market, dissasembled, had the Geinimi code packed into the applications and re-assembled. In addition to the sophisticated features of Geinimi infected application, Geinimi also goes to great lengths to attempt to obfuscate and encrypt the malicious behavior in both the Geinimi code and in the communication that occurs. In order to hinder analysis attempts, Geinimi authors encrypted particular strings of the code, using a weak DES cypher. Fortunately, the weak key of “12345678″ was easily identified in the code, allowing for important strings to be decrypted for analysis. The communications between Geinimi infected devices and their controlling servers are also encrypted with the same DES cypher and key as the encrypted strings used. In this scenario, Geinimi attempts to encrypt what would otherwise be clear text HTTP requests to make the traffic appear less conspicuous. The following URL’s have been identified withing Geinimi code as URL’s of interest over port 8080: www.widifu.com www.udaore.com www.frijd.com www.piajesj.com www.qoewsl.com www.weolir.com www.uisoa.com www.riusdu.com www.aiucr.com 117.135.134.185 Initial analysis of Geinimi indicates that there were a handful of applications affected. The Juniper GTC has identifed at least 24 different applications that are infected with Geinimi. The following Android packages are known to be infected by Geinimi code: com.moonage.iTraining – Detected as A.Geinimi.01 com.sgg.sp – Detected as A.Geinimi.02 com.bitlogik.uconnect – Detected as A.Geinimi.03 com.ubermind.ilightr – Detected as A.Geinimi.04 com.outfit7.talkinghippo – Detected as A.Geinimi.05 com.littlekillerz.legendsarcana – Detected as A.Geinimi.07 com.xlabtech.MonsterTruckRally – Detected as A.Geimimi.08 cmp.LocalService – Detected as A.Geinimi.09 jp.co.kaku.spi.fs1006.Paid – Detected as A.Geinimi.10 com.xlabtech.HardcoreDirtBike – Detected as A.Geinimi.11 cmp.netsentry – Detected as A.Geinimi.12 com.dseffects.MonkeyJump2 – Detected as A.Geinimi.13 com.wuzla.game.ScooterHero_Paid – Detected as A.Geinimi.14 com.masshabit.squibble.free – Detected as A.Geinimi.15 signcomsexgirl1.mm – Detected as A.Geinimi.16 redrabbit.CityDefense – Detected as A.Geinimi.17 com.gamevil.bs2010 – Detected as A.Geinimi.18 com.computertimeco.android.alienspresident – Detected as A.Geinimi.19 com.apostek.SlotMachine.paid – Detected as A.Geinimi.20 sex.sexy – Detected as A.Geinimi.21 com.swampy.sexpos – Detected as A.Geinimi.22 com.ericlie.cg5 – Detected as A.Geinimi.23 chaire1.mm – Detected as A.Geinimi.24 As previously mentioned, Geinimi infected applications were not found to have been accessible from the official Android Market. As with all Android application, users must physically install Geinimi infected applications and approve the permissions that are being requested. Android users are encouraged to be especially mindful of the context of each and every application when considering the permissions it is requesting. This is especially true when “side loading” Android applications from 3rd party application repositories.

A.Geinimi.04

Name A.Geinimi.04
Category
Release Date 2011/01/11
Update Number 1

Geinimi is an Android Trojan that has the ability to harvest and transmit personal and device identifying information to remote servers. Being the most sophisticated Android malware to date, Geinimi also introduces botnet capabilities with clear indications that command and control (C&C) functionality could be a part of the Geinimi code base. To date, no evidence of the actual C&C communication has been identified, but the channels are clearly evident during analysis. Geinimi has the following capabilities: - Monitor and Send SMS messages - Delete selected SMS messages - Monitor and send location data - Harvest and send device identifying data (IMEI/IMSI) - Downloads and prompts user to install 3rd party application - Enumerates and transmits list of applications installed on the infected device - Place phone call - Silently download files - Launches browser with pre-defined URL Up to this point, Geinimi infected applications have only appeared in 3rd party application repositories in China and can only be installed by “side loading” the infected applications. Geinimi HAS NOT appeared in the official Android Market. In fact, Geinimi appears to be a number of authentic applications that were pirated from the Android Market, dissasembled, had the Geinimi code packed into the applications and re-assembled. In addition to the sophisticated features of Geinimi infected application, Geinimi also goes to great lengths to attempt to obfuscate and encrypt the malicious behavior in both the Geinimi code and in the communication that occurs. In order to hinder analysis attempts, Geinimi authors encrypted particular strings of the code, using a weak DES cypher. Fortunately, the weak key of “12345678″ was easily identified in the code, allowing for important strings to be decrypted for analysis. The communications between Geinimi infected devices and their controlling servers are also encrypted with the same DES cypher and key as the encrypted strings used. In this scenario, Geinimi attempts to encrypt what would otherwise be clear text HTTP requests to make the traffic appear less conspicuous. The following URL’s have been identified withing Geinimi code as URL’s of interest over port 8080: www.widifu.com www.udaore.com www.frijd.com www.piajesj.com www.qoewsl.com www.weolir.com www.uisoa.com www.riusdu.com www.aiucr.com 117.135.134.185 Initial analysis of Geinimi indicates that there were a handful of applications affected. The Juniper GTC has identifed at least 24 different applications that are infected with Geinimi. The following Android packages are known to be infected by Geinimi code: com.moonage.iTraining – Detected as A.Geinimi.01 com.sgg.sp – Detected as A.Geinimi.02 com.bitlogik.uconnect – Detected as A.Geinimi.03 com.ubermind.ilightr – Detected as A.Geinimi.04 com.outfit7.talkinghippo – Detected as A.Geinimi.05 com.littlekillerz.legendsarcana – Detected as A.Geinimi.07 com.xlabtech.MonsterTruckRally – Detected as A.Geimimi.08 cmp.LocalService – Detected as A.Geinimi.09 jp.co.kaku.spi.fs1006.Paid – Detected as A.Geinimi.10 com.xlabtech.HardcoreDirtBike – Detected as A.Geinimi.11 cmp.netsentry – Detected as A.Geinimi.12 com.dseffects.MonkeyJump2 – Detected as A.Geinimi.13 com.wuzla.game.ScooterHero_Paid – Detected as A.Geinimi.14 com.masshabit.squibble.free – Detected as A.Geinimi.15 signcomsexgirl1.mm – Detected as A.Geinimi.16 redrabbit.CityDefense – Detected as A.Geinimi.17 com.gamevil.bs2010 – Detected as A.Geinimi.18 com.computertimeco.android.alienspresident – Detected as A.Geinimi.19 com.apostek.SlotMachine.paid – Detected as A.Geinimi.20 sex.sexy – Detected as A.Geinimi.21 com.swampy.sexpos – Detected as A.Geinimi.22 com.ericlie.cg5 – Detected as A.Geinimi.23 chaire1.mm – Detected as A.Geinimi.24 As previously mentioned, Geinimi infected applications were not found to have been accessible from the official Android Market. As with all Android application, users must physically install Geinimi infected applications and approve the permissions that are being requested. Android users are encouraged to be especially mindful of the context of each and every application when considering the permissions it is requesting. This is especially true when “side loading” Android applications from 3rd party application repositories.

A.Geinimi.05

Name A.Geinimi.05
Category
Release Date 2011/01/11
Update Number 1

Geinimi is an Android Trojan that has the ability to harvest and transmit personal and device identifying information to remote servers. Being the most sophisticated Android malware to date, Geinimi also introduces botnet capabilities with clear indications that command and control (C&C) functionality could be a part of the Geinimi code base. To date, no evidence of the actual C&C communication has been identified, but the channels are clearly evident during analysis. Geinimi has the following capabilities: - Monitor and Send SMS messages - Delete selected SMS messages - Monitor and send location data - Harvest and send device identifying data (IMEI/IMSI) - Downloads and prompts user to install 3rd party application - Enumerates and transmits list of applications installed on the infected device - Place phone call - Silently download files - Launches browser with pre-defined URL Up to this point, Geinimi infected applications have only appeared in 3rd party application repositories in China and can only be installed by “side loading” the infected applications. Geinimi HAS NOT appeared in the official Android Market. In fact, Geinimi appears to be a number of authentic applications that were pirated from the Android Market, dissasembled, had the Geinimi code packed into the applications and re-assembled. In addition to the sophisticated features of Geinimi infected application, Geinimi also goes to great lengths to attempt to obfuscate and encrypt the malicious behavior in both the Geinimi code and in the communication that occurs. In order to hinder analysis attempts, Geinimi authors encrypted particular strings of the code, using a weak DES cypher. Fortunately, the weak key of “12345678″ was easily identified in the code, allowing for important strings to be decrypted for analysis. The communications between Geinimi infected devices and their controlling servers are also encrypted with the same DES cypher and key as the encrypted strings used. In this scenario, Geinimi attempts to encrypt what would otherwise be clear text HTTP requests to make the traffic appear less conspicuous. The following URL’s have been identified withing Geinimi code as URL’s of interest over port 8080: www.widifu.com www.udaore.com www.frijd.com www.piajesj.com www.qoewsl.com www.weolir.com www.uisoa.com www.riusdu.com www.aiucr.com 117.135.134.185 Initial analysis of Geinimi indicates that there were a handful of applications affected. The Juniper GTC has identifed at least 24 different applications that are infected with Geinimi. The following Android packages are known to be infected by Geinimi code: com.moonage.iTraining – Detected as A.Geinimi.01 com.sgg.sp – Detected as A.Geinimi.02 com.bitlogik.uconnect – Detected as A.Geinimi.03 com.ubermind.ilightr – Detected as A.Geinimi.04 com.outfit7.talkinghippo – Detected as A.Geinimi.05 com.littlekillerz.legendsarcana – Detected as A.Geinimi.07 com.xlabtech.MonsterTruckRally – Detected as A.Geimimi.08 cmp.LocalService – Detected as A.Geinimi.09 jp.co.kaku.spi.fs1006.Paid – Detected as A.Geinimi.10 com.xlabtech.HardcoreDirtBike – Detected as A.Geinimi.11 cmp.netsentry – Detected as A.Geinimi.12 com.dseffects.MonkeyJump2 – Detected as A.Geinimi.13 com.wuzla.game.ScooterHero_Paid – Detected as A.Geinimi.14 com.masshabit.squibble.free – Detected as A.Geinimi.15 signcomsexgirl1.mm – Detected as A.Geinimi.16 redrabbit.CityDefense – Detected as A.Geinimi.17 com.gamevil.bs2010 – Detected as A.Geinimi.18 com.computertimeco.android.alienspresident – Detected as A.Geinimi.19 com.apostek.SlotMachine.paid – Detected as A.Geinimi.20 sex.sexy – Detected as A.Geinimi.21 com.swampy.sexpos – Detected as A.Geinimi.22 com.ericlie.cg5 – Detected as A.Geinimi.23 chaire1.mm – Detected as A.Geinimi.24 As previously mentioned, Geinimi infected applications were not found to have been accessible from the official Android Market. As with all Android application, users must physically install Geinimi infected applications and approve the permissions that are being requested. Android users are encouraged to be especially mindful of the context of each and every application when considering the permissions it is requesting. This is especially true when “side loading” Android applications from 3rd party application repositories.

A.Geinimi.06

Name A.Geinimi.06
Category
Release Date 2011/01/11
Update Number 1

Geinimi is an Android Trojan that has the ability to harvest and transmit personal and device identifying information to remote servers. Being the most sophisticated Android malware to date, Geinimi also introduces botnet capabilities with clear indications that command and control (C&C) functionality could be a part of the Geinimi code base. To date, no evidence of the actual C&C communication has been identified, but the channels are clearly evident during analysis. Geinimi has the following capabilities: - Monitor and Send SMS messages - Delete selected SMS messages - Monitor and send location data - Harvest and send device identifying data (IMEI/IMSI) - Downloads and prompts user to install 3rd party application - Enumerates and transmits list of applications installed on the infected device - Place phone call - Silently download files - Launches browser with pre-defined URL Up to this point, Geinimi infected applications have only appeared in 3rd party application repositories in China and can only be installed by “side loading” the infected applications. Geinimi HAS NOT appeared in the official Android Market. In fact, Geinimi appears to be a number of authentic applications that were pirated from the Android Market, dissasembled, had the Geinimi code packed into the applications and re-assembled. In addition to the sophisticated features of Geinimi infected application, Geinimi also goes to great lengths to attempt to obfuscate and encrypt the malicious behavior in both the Geinimi code and in the communication that occurs. In order to hinder analysis attempts, Geinimi authors encrypted particular strings of the code, using a weak DES cypher. Fortunately, the weak key of “12345678″ was easily identified in the code, allowing for important strings to be decrypted for analysis. The communications between Geinimi infected devices and their controlling servers are also encrypted with the same DES cypher and key as the encrypted strings used. In this scenario, Geinimi attempts to encrypt what would otherwise be clear text HTTP requests to make the traffic appear less conspicuous. The following URL’s have been identified withing Geinimi code as URL’s of interest over port 8080: www.widifu.com www.udaore.com www.frijd.com www.piajesj.com www.qoewsl.com www.weolir.com www.uisoa.com www.riusdu.com www.aiucr.com 117.135.134.185 Initial analysis of Geinimi indicates that there were a handful of applications affected. The Juniper GTC has identifed at least 24 different applications that are infected with Geinimi. The following Android packages are known to be infected by Geinimi code: com.moonage.iTraining – Detected as A.Geinimi.01 com.sgg.sp – Detected as A.Geinimi.02 com.bitlogik.uconnect – Detected as A.Geinimi.03 com.ubermind.ilightr – Detected as A.Geinimi.04 com.outfit7.talkinghippo – Detected as A.Geinimi.05 com.littlekillerz.legendsarcana – Detected as A.Geinimi.07 com.xlabtech.MonsterTruckRally – Detected as A.Geimimi.08 cmp.LocalService – Detected as A.Geinimi.09 jp.co.kaku.spi.fs1006.Paid – Detected as A.Geinimi.10 com.xlabtech.HardcoreDirtBike – Detected as A.Geinimi.11 cmp.netsentry – Detected as A.Geinimi.12 com.dseffects.MonkeyJump2 – Detected as A.Geinimi.13 com.wuzla.game.ScooterHero_Paid – Detected as A.Geinimi.14 com.masshabit.squibble.free – Detected as A.Geinimi.15 signcomsexgirl1.mm – Detected as A.Geinimi.16 redrabbit.CityDefense – Detected as A.Geinimi.17 com.gamevil.bs2010 – Detected as A.Geinimi.18 com.computertimeco.android.alienspresident – Detected as A.Geinimi.19 com.apostek.SlotMachine.paid – Detected as A.Geinimi.20 sex.sexy – Detected as A.Geinimi.21 com.swampy.sexpos – Detected as A.Geinimi.22 com.ericlie.cg5 – Detected as A.Geinimi.23 chaire1.mm – Detected as A.Geinimi.24 As previously mentioned, Geinimi infected applications were not found to have been accessible from the official Android Market. As with all Android application, users must physically install Geinimi infected applications and approve the permissions that are being requested. Android users are encouraged to be especially mindful of the context of each and every application when considering the permissions it is requesting. This is especially true when “side loading” Android applications from 3rd party application repositories.

A.Geinimi.07

Name A.Geinimi.07
Category
Release Date 2011/01/11
Update Number 1

Geinimi is an Android Trojan that has the ability to harvest and transmit personal and device identifying information to remote servers. Being the most sophisticated Android malware to date, Geinimi also introduces botnet capabilities with clear indications that command and control (C&C) functionality could be a part of the Geinimi code base. To date, no evidence of the actual C&C communication has been identified, but the channels are clearly evident during analysis. Geinimi has the following capabilities: - Monitor and Send SMS messages - Delete selected SMS messages - Monitor and send location data - Harvest and send device identifying data (IMEI/IMSI) - Downloads and prompts user to install 3rd party application - Enumerates and transmits list of applications installed on the infected device - Place phone call - Silently download files - Launches browser with pre-defined URL Up to this point, Geinimi infected applications have only appeared in 3rd party application repositories in China and can only be installed by “side loading” the infected applications. Geinimi HAS NOT appeared in the official Android Market. In fact, Geinimi appears to be a number of authentic applications that were pirated from the Android Market, dissasembled, had the Geinimi code packed into the applications and re-assembled. In addition to the sophisticated features of Geinimi infected application, Geinimi also goes to great lengths to attempt to obfuscate and encrypt the malicious behavior in both the Geinimi code and in the communication that occurs. In order to hinder analysis attempts, Geinimi authors encrypted particular strings of the code, using a weak DES cypher. Fortunately, the weak key of “12345678″ was easily identified in the code, allowing for important strings to be decrypted for analysis. The communications between Geinimi infected devices and their controlling servers are also encrypted with the same DES cypher and key as the encrypted strings used. In this scenario, Geinimi attempts to encrypt what would otherwise be clear text HTTP requests to make the traffic appear less conspicuous. The following URL’s have been identified withing Geinimi code as URL’s of interest over port 8080: www.widifu.com www.udaore.com www.frijd.com www.piajesj.com www.qoewsl.com www.weolir.com www.uisoa.com www.riusdu.com www.aiucr.com 117.135.134.185 Initial analysis of Geinimi indicates that there were a handful of applications affected. The Juniper GTC has identifed at least 24 different applications that are infected with Geinimi. The following Android packages are known to be infected by Geinimi code: com.moonage.iTraining – Detected as A.Geinimi.01 com.sgg.sp – Detected as A.Geinimi.02 com.bitlogik.uconnect – Detected as A.Geinimi.03 com.ubermind.ilightr – Detected as A.Geinimi.04 com.outfit7.talkinghippo – Detected as A.Geinimi.05 com.littlekillerz.legendsarcana – Detected as A.Geinimi.07 com.xlabtech.MonsterTruckRally – Detected as A.Geimimi.08 cmp.LocalService – Detected as A.Geinimi.09 jp.co.kaku.spi.fs1006.Paid – Detected as A.Geinimi.10 com.xlabtech.HardcoreDirtBike – Detected as A.Geinimi.11 cmp.netsentry – Detected as A.Geinimi.12 com.dseffects.MonkeyJump2 – Detected as A.Geinimi.13 com.wuzla.game.ScooterHero_Paid – Detected as A.Geinimi.14 com.masshabit.squibble.free – Detected as A.Geinimi.15 signcomsexgirl1.mm – Detected as A.Geinimi.16 redrabbit.CityDefense – Detected as A.Geinimi.17 com.gamevil.bs2010 – Detected as A.Geinimi.18 com.computertimeco.android.alienspresident – Detected as A.Geinimi.19 com.apostek.SlotMachine.paid – Detected as A.Geinimi.20 sex.sexy – Detected as A.Geinimi.21 com.swampy.sexpos – Detected as A.Geinimi.22 com.ericlie.cg5 – Detected as A.Geinimi.23 chaire1.mm – Detected as A.Geinimi.24 As previously mentioned, Geinimi infected applications were not found to have been accessible from the official Android Market. As with all Android application, users must physically install Geinimi infected applications and approve the permissions that are being requested. Android users are encouraged to be especially mindful of the context of each and every application when considering the permissions it is requesting. This is especially true when “side loading” Android applications from 3rd party application repositories.

A.Geinimi.08

Name A.Geinimi.08
Category
Release Date 2011/01/11
Update Number 1

Geinimi is an Android Trojan that has the ability to harvest and transmit personal and device identifying information to remote servers. Being the most sophisticated Android malware to date, Geinimi also introduces botnet capabilities with clear indications that command and control (C&C) functionality could be a part of the Geinimi code base. To date, no evidence of the actual C&C communication has been identified, but the channels are clearly evident during analysis. Geinimi has the following capabilities: - Monitor and Send SMS messages - Delete selected SMS messages - Monitor and send location data - Harvest and send device identifying data (IMEI/IMSI) - Downloads and prompts user to install 3rd party application - Enumerates and transmits list of applications installed on the infected device - Place phone call - Silently download files - Launches browser with pre-defined URL Up to this point, Geinimi infected applications have only appeared in 3rd party application repositories in China and can only be installed by “side loading” the infected applications. Geinimi HAS NOT appeared in the official Android Market. In fact, Geinimi appears to be a number of authentic applications that were pirated from the Android Market, dissasembled, had the Geinimi code packed into the applications and re-assembled. In addition to the sophisticated features of Geinimi infected application, Geinimi also goes to great lengths to attempt to obfuscate and encrypt the malicious behavior in both the Geinimi code and in the communication that occurs. In order to hinder analysis attempts, Geinimi authors encrypted particular strings of the code, using a weak DES cypher. Fortunately, the weak key of “12345678″ was easily identified in the code, allowing for important strings to be decrypted for analysis. The communications between Geinimi infected devices and their controlling servers are also encrypted with the same DES cypher and key as the encrypted strings used. In this scenario, Geinimi attempts to encrypt what would otherwise be clear text HTTP requests to make the traffic appear less conspicuous. The following URL’s have been identified withing Geinimi code as URL’s of interest over port 8080: www.widifu.com www.udaore.com www.frijd.com www.piajesj.com www.qoewsl.com www.weolir.com www.uisoa.com www.riusdu.com www.aiucr.com 117.135.134.185 Initial analysis of Geinimi indicates that there were a handful of applications affected. The Juniper GTC has identifed at least 24 different applications that are infected with Geinimi. The following Android packages are known to be infected by Geinimi code: com.moonage.iTraining – Detected as A.Geinimi.01 com.sgg.sp – Detected as A.Geinimi.02 com.bitlogik.uconnect – Detected as A.Geinimi.03 com.ubermind.ilightr – Detected as A.Geinimi.04 com.outfit7.talkinghippo – Detected as A.Geinimi.05 com.littlekillerz.legendsarcana – Detected as A.Geinimi.07 com.xlabtech.MonsterTruckRally – Detected as A.Geimimi.08 cmp.LocalService – Detected as A.Geinimi.09 jp.co.kaku.spi.fs1006.Paid – Detected as A.Geinimi.10 com.xlabtech.HardcoreDirtBike – Detected as A.Geinimi.11 cmp.netsentry – Detected as A.Geinimi.12 com.dseffects.MonkeyJump2 – Detected as A.Geinimi.13 com.wuzla.game.ScooterHero_Paid – Detected as A.Geinimi.14 com.masshabit.squibble.free – Detected as A.Geinimi.15 signcomsexgirl1.mm – Detected as A.Geinimi.16 redrabbit.CityDefense – Detected as A.Geinimi.17 com.gamevil.bs2010 – Detected as A.Geinimi.18 com.computertimeco.android.alienspresident – Detected as A.Geinimi.19 com.apostek.SlotMachine.paid – Detected as A.Geinimi.20 sex.sexy – Detected as A.Geinimi.21 com.swampy.sexpos – Detected as A.Geinimi.22 com.ericlie.cg5 – Detected as A.Geinimi.23 chaire1.mm – Detected as A.Geinimi.24 As previously mentioned, Geinimi infected applications were not found to have been accessible from the official Android Market. As with all Android application, users must physically install Geinimi infected applications and approve the permissions that are being requested. Android users are encouraged to be especially mindful of the context of each and every application when considering the permissions it is requesting. This is especially true when “side loading” Android applications from 3rd party application repositories.

A.Geinimi.09

Name A.Geinimi.09
Category
Release Date 2011/01/11
Update Number 1

Geinimi is an Android Trojan that has the ability to harvest and transmit personal and device identifying information to remote servers. Being the most sophisticated Android malware to date, Geinimi also introduces botnet capabilities with clear indications that command and control (C&C) functionality could be a part of the Geinimi code base. To date, no evidence of the actual C&C communication has been identified, but the channels are clearly evident during analysis. Geinimi has the following capabilities: - Monitor and Send SMS messages - Delete selected SMS messages - Monitor and send location data - Harvest and send device identifying data (IMEI/IMSI) - Downloads and prompts user to install 3rd party application - Enumerates and transmits list of applications installed on the infected device - Place phone call - Silently download files - Launches browser with pre-defined URL Up to this point, Geinimi infected applications have only appeared in 3rd party application repositories in China and can only be installed by “side loading” the infected applications. Geinimi HAS NOT appeared in the official Android Market. In fact, Geinimi appears to be a number of authentic applications that were pirated from the Android Market, dissasembled, had the Geinimi code packed into the applications and re-assembled. In addition to the sophisticated features of Geinimi infected application, Geinimi also goes to great lengths to attempt to obfuscate and encrypt the malicious behavior in both the Geinimi code and in the communication that occurs. In order to hinder analysis attempts, Geinimi authors encrypted particular strings of the code, using a weak DES cypher. Fortunately, the weak key of “12345678″ was easily identified in the code, allowing for important strings to be decrypted for analysis. The communications between Geinimi infected devices and their controlling servers are also encrypted with the same DES cypher and key as the encrypted strings used. In this scenario, Geinimi attempts to encrypt what would otherwise be clear text HTTP requests to make the traffic appear less conspicuous. The following URL’s have been identified withing Geinimi code as URL’s of interest over port 8080: www.widifu.com www.udaore.com www.frijd.com www.piajesj.com www.qoewsl.com www.weolir.com www.uisoa.com www.riusdu.com www.aiucr.com 117.135.134.185 Initial analysis of Geinimi indicates that there were a handful of applications affected. The Juniper GTC has identifed at least 24 different applications that are infected with Geinimi. The following Android packages are known to be infected by Geinimi code: com.moonage.iTraining – Detected as A.Geinimi.01 com.sgg.sp – Detected as A.Geinimi.02 com.bitlogik.uconnect – Detected as A.Geinimi.03 com.ubermind.ilightr – Detected as A.Geinimi.04 com.outfit7.talkinghippo – Detected as A.Geinimi.05 com.littlekillerz.legendsarcana – Detected as A.Geinimi.07 com.xlabtech.MonsterTruckRally – Detected as A.Geimimi.08 cmp.LocalService – Detected as A.Geinimi.09 jp.co.kaku.spi.fs1006.Paid – Detected as A.Geinimi.10 com.xlabtech.HardcoreDirtBike – Detected as A.Geinimi.11 cmp.netsentry – Detected as A.Geinimi.12 com.dseffects.MonkeyJump2 – Detected as A.Geinimi.13 com.wuzla.game.ScooterHero_Paid – Detected as A.Geinimi.14 com.masshabit.squibble.free – Detected as A.Geinimi.15 signcomsexgirl1.mm – Detected as A.Geinimi.16 redrabbit.CityDefense – Detected as A.Geinimi.17 com.gamevil.bs2010 – Detected as A.Geinimi.18 com.computertimeco.android.alienspresident – Detected as A.Geinimi.19 com.apostek.SlotMachine.paid – Detected as A.Geinimi.20 sex.sexy – Detected as A.Geinimi.21 com.swampy.sexpos – Detected as A.Geinimi.22 com.ericlie.cg5 – Detected as A.Geinimi.23 chaire1.mm – Detected as A.Geinimi.24 As previously mentioned, Geinimi infected applications were not found to have been accessible from the official Android Market. As with all Android application, users must physically install Geinimi infected applications and approve the permissions that are being requested. Android users are encouraged to be especially mindful of the context of each and every application when considering the permissions it is requesting. This is especially true when “side loading” Android applications from 3rd party application repositories.

A.Geinimi.10

Name A.Geinimi.10
Category
Release Date 2011/01/11
Update Number 1

Geinimi is an Android Trojan that has the ability to harvest and transmit personal and device identifying information to remote servers. Being the most sophisticated Android malware to date, Geinimi also introduces botnet capabilities with clear indications that command and control (C&C) functionality could be a part of the Geinimi code base. To date, no evidence of the actual C&C communication has been identified, but the channels are clearly evident during analysis. Geinimi has the following capabilities: - Monitor and Send SMS messages - Delete selected SMS messages - Monitor and send location data - Harvest and send device identifying data (IMEI/IMSI) - Downloads and prompts user to install 3rd party application - Enumerates and transmits list of applications installed on the infected device - Place phone call - Silently download files - Launches browser with pre-defined URL Up to this point, Geinimi infected applications have only appeared in 3rd party application repositories in China and can only be installed by “side loading” the infected applications. Geinimi HAS NOT appeared in the official Android Market. In fact, Geinimi appears to be a number of authentic applications that were pirated from the Android Market, dissasembled, had the Geinimi code packed into the applications and re-assembled. In addition to the sophisticated features of Geinimi infected application, Geinimi also goes to great lengths to attempt to obfuscate and encrypt the malicious behavior in both the Geinimi code and in the communication that occurs. In order to hinder analysis attempts, Geinimi authors encrypted particular strings of the code, using a weak DES cypher. Fortunately, the weak key of “12345678″ was easily identified in the code, allowing for important strings to be decrypted for analysis. The communications between Geinimi infected devices and their controlling servers are also encrypted with the same DES cypher and key as the encrypted strings used. In this scenario, Geinimi attempts to encrypt what would otherwise be clear text HTTP requests to make the traffic appear less conspicuous. The following URL’s have been identified withing Geinimi code as URL’s of interest over port 8080: www.widifu.com www.udaore.com www.frijd.com www.piajesj.com www.qoewsl.com www.weolir.com www.uisoa.com www.riusdu.com www.aiucr.com 117.135.134.185 Initial analysis of Geinimi indicates that there were a handful of applications affected. The Juniper GTC has identifed at least 24 different applications that are infected with Geinimi. The following Android packages are known to be infected by Geinimi code: com.moonage.iTraining – Detected as A.Geinimi.01 com.sgg.sp – Detected as A.Geinimi.02 com.bitlogik.uconnect – Detected as A.Geinimi.03 com.ubermind.ilightr – Detected as A.Geinimi.04 com.outfit7.talkinghippo – Detected as A.Geinimi.05 com.littlekillerz.legendsarcana – Detected as A.Geinimi.07 com.xlabtech.MonsterTruckRally – Detected as A.Geimimi.08 cmp.LocalService – Detected as A.Geinimi.09 jp.co.kaku.spi.fs1006.Paid – Detected as A.Geinimi.10 com.xlabtech.HardcoreDirtBike – Detected as A.Geinimi.11 cmp.netsentry – Detected as A.Geinimi.12 com.dseffects.MonkeyJump2 – Detected as A.Geinimi.13 com.wuzla.game.ScooterHero_Paid – Detected as A.Geinimi.14 com.masshabit.squibble.free – Detected as A.Geinimi.15 signcomsexgirl1.mm – Detected as A.Geinimi.16 redrabbit.CityDefense – Detected as A.Geinimi.17 com.gamevil.bs2010 – Detected as A.Geinimi.18 com.computertimeco.android.alienspresident – Detected as A.Geinimi.19 com.apostek.SlotMachine.paid – Detected as A.Geinimi.20 sex.sexy – Detected as A.Geinimi.21 com.swampy.sexpos – Detected as A.Geinimi.22 com.ericlie.cg5 – Detected as A.Geinimi.23 chaire1.mm – Detected as A.Geinimi.24 As previously mentioned, Geinimi infected applications were not found to have been accessible from the official Android Market. As with all Android application, users must physically install Geinimi infected applications and approve the permissions that are being requested. Android users are encouraged to be especially mindful of the context of each and every application when considering the permissions it is requesting. This is especially true when “side loading” Android applications from 3rd party application repositories.

A.Geinimi.11

Name A.Geinimi.11
Category
Release Date 2011/01/11
Update Number 1

Geinimi is an Android Trojan that has the ability to harvest and transmit personal and device identifying information to remote servers. Being the most sophisticated Android malware to date, Geinimi also introduces botnet capabilities with clear indications that command and control (C&C) functionality could be a part of the Geinimi code base. To date, no evidence of the actual C&C communication has been identified, but the channels are clearly evident during analysis. Geinimi has the following capabilities: - Monitor and Send SMS messages - Delete selected SMS messages - Monitor and send location data - Harvest and send device identifying data (IMEI/IMSI) - Downloads and prompts user to install 3rd party application - Enumerates and transmits list of applications installed on the infected device - Place phone call - Silently download files - Launches browser with pre-defined URL Up to this point, Geinimi infected applications have only appeared in 3rd party application repositories in China and can only be installed by “side loading” the infected applications. Geinimi HAS NOT appeared in the official Android Market. In fact, Geinimi appears to be a number of authentic applications that were pirated from the Android Market, dissasembled, had the Geinimi code packed into the applications and re-assembled. In addition to the sophisticated features of Geinimi infected application, Geinimi also goes to great lengths to attempt to obfuscate and encrypt the malicious behavior in both the Geinimi code and in the communication that occurs. In order to hinder analysis attempts, Geinimi authors encrypted particular strings of the code, using a weak DES cypher. Fortunately, the weak key of “12345678″ was easily identified in the code, allowing for important strings to be decrypted for analysis. The communications between Geinimi infected devices and their controlling servers are also encrypted with the same DES cypher and key as the encrypted strings used. In this scenario, Geinimi attempts to encrypt what would otherwise be clear text HTTP requests to make the traffic appear less conspicuous. The following URL’s have been identified withing Geinimi code as URL’s of interest over port 8080: www.widifu.com www.udaore.com www.frijd.com www.piajesj.com www.qoewsl.com www.weolir.com www.uisoa.com www.riusdu.com www.aiucr.com 117.135.134.185 Initial analysis of Geinimi indicates that there were a handful of applications affected. The Juniper GTC has identifed at least 24 different applications that are infected with Geinimi. The following Android packages are known to be infected by Geinimi code: com.moonage.iTraining – Detected as A.Geinimi.01 com.sgg.sp – Detected as A.Geinimi.02 com.bitlogik.uconnect – Detected as A.Geinimi.03 com.ubermind.ilightr – Detected as A.Geinimi.04 com.outfit7.talkinghippo – Detected as A.Geinimi.05 com.littlekillerz.legendsarcana – Detected as A.Geinimi.07 com.xlabtech.MonsterTruckRally – Detected as A.Geimimi.08 cmp.LocalService – Detected as A.Geinimi.09 jp.co.kaku.spi.fs1006.Paid – Detected as A.Geinimi.10 com.xlabtech.HardcoreDirtBike – Detected as A.Geinimi.11 cmp.netsentry – Detected as A.Geinimi.12 com.dseffects.MonkeyJump2 – Detected as A.Geinimi.13 com.wuzla.game.ScooterHero_Paid – Detected as A.Geinimi.14 com.masshabit.squibble.free – Detected as A.Geinimi.15 signcomsexgirl1.mm – Detected as A.Geinimi.16 redrabbit.CityDefense – Detected as A.Geinimi.17 com.gamevil.bs2010 – Detected as A.Geinimi.18 com.computertimeco.android.alienspresident – Detected as A.Geinimi.19 com.apostek.SlotMachine.paid – Detected as A.Geinimi.20 sex.sexy – Detected as A.Geinimi.21 com.swampy.sexpos – Detected as A.Geinimi.22 com.ericlie.cg5 – Detected as A.Geinimi.23 chaire1.mm – Detected as A.Geinimi.24 As previously mentioned, Geinimi infected applications were not found to have been accessible from the official Android Market. As with all Android application, users must physically install Geinimi infected applications and approve the permissions that are being requested. Android users are encouraged to be especially mindful of the context of each and every application when considering the permissions it is requesting. This is especially true when “side loading” Android applications from 3rd party application repositories.

A.Geinimi.12

Name A.Geinimi.12
Category
Release Date 2011/01/11
Update Number 1

Geinimi is an Android Trojan that has the ability to harvest and transmit personal and device identifying information to remote servers. Being the most sophisticated Android malware to date, Geinimi also introduces botnet capabilities with clear indications that command and control (C&C) functionality could be a part of the Geinimi code base. To date, no evidence of the actual C&C communication has been identified, but the channels are clearly evident during analysis. Geinimi has the following capabilities: - Monitor and Send SMS messages - Delete selected SMS messages - Monitor and send location data - Harvest and send device identifying data (IMEI/IMSI) - Downloads and prompts user to install 3rd party application - Enumerates and transmits list of applications installed on the infected device - Place phone call - Silently download files - Launches browser with pre-defined URL Up to this point, Geinimi infected applications have only appeared in 3rd party application repositories in China and can only be installed by “side loading” the infected applications. Geinimi HAS NOT appeared in the official Android Market. In fact, Geinimi appears to be a number of authentic applications that were pirated from the Android Market, dissasembled, had the Geinimi code packed into the applications and re-assembled. In addition to the sophisticated features of Geinimi infected application, Geinimi also goes to great lengths to attempt to obfuscate and encrypt the malicious behavior in both the Geinimi code and in the communication that occurs. In order to hinder analysis attempts, Geinimi authors encrypted particular strings of the code, using a weak DES cypher. Fortunately, the weak key of “12345678″ was easily identified in the code, allowing for important strings to be decrypted for analysis. The communications between Geinimi infected devices and their controlling servers are also encrypted with the same DES cypher and key as the encrypted strings used. In this scenario, Geinimi attempts to encrypt what would otherwise be clear text HTTP requests to make the traffic appear less conspicuous. The following URL’s have been identified withing Geinimi code as URL’s of interest over port 8080: www.widifu.com www.udaore.com www.frijd.com www.piajesj.com www.qoewsl.com www.weolir.com www.uisoa.com www.riusdu.com www.aiucr.com 117.135.134.185 Initial analysis of Geinimi indicates that there were a handful of applications affected. The Juniper GTC has identifed at least 24 different applications that are infected with Geinimi. The following Android packages are known to be infected by Geinimi code: com.moonage.iTraining – Detected as A.Geinimi.01 com.sgg.sp – Detected as A.Geinimi.02 com.bitlogik.uconnect – Detected as A.Geinimi.03 com.ubermind.ilightr – Detected as A.Geinimi.04 com.outfit7.talkinghippo – Detected as A.Geinimi.05 com.littlekillerz.legendsarcana – Detected as A.Geinimi.07 com.xlabtech.MonsterTruckRally – Detected as A.Geimimi.08 cmp.LocalService – Detected as A.Geinimi.09 jp.co.kaku.spi.fs1006.Paid – Detected as A.Geinimi.10 com.xlabtech.HardcoreDirtBike – Detected as A.Geinimi.11 cmp.netsentry – Detected as A.Geinimi.12 com.dseffects.MonkeyJump2 – Detected as A.Geinimi.13 com.wuzla.game.ScooterHero_Paid – Detected as A.Geinimi.14 com.masshabit.squibble.free – Detected as A.Geinimi.15 signcomsexgirl1.mm – Detected as A.Geinimi.16 redrabbit.CityDefense – Detected as A.Geinimi.17 com.gamevil.bs2010 – Detected as A.Geinimi.18 com.computertimeco.android.alienspresident – Detected as A.Geinimi.19 com.apostek.SlotMachine.paid – Detected as A.Geinimi.20 sex.sexy – Detected as A.Geinimi.21 com.swampy.sexpos – Detected as A.Geinimi.22 com.ericlie.cg5 – Detected as A.Geinimi.23 chaire1.mm – Detected as A.Geinimi.24 As previously mentioned, Geinimi infected applications were not found to have been accessible from the official Android Market. As with all Android application, users must physically install Geinimi infected applications and approve the permissions that are being requested. Android users are encouraged to be especially mindful of the context of each and every application when considering the permissions it is requesting. This is especially true when “side loading” Android applications from 3rd party application repositories.

A.Geinimi.13

Name A.Geinimi.13
Category
Release Date 2011/01/11
Update Number 1

Geinimi is an Android Trojan that has the ability to harvest and transmit personal and device identifying information to remote servers. Being the most sophisticated Android malware to date, Geinimi also introduces botnet capabilities with clear indications that command and control (C&C) functionality could be a part of the Geinimi code base. To date, no evidence of the actual C&C communication has been identified, but the channels are clearly evident during analysis. Geinimi has the following capabilities: - Monitor and Send SMS messages - Delete selected SMS messages - Monitor and send location data - Harvest and send device identifying data (IMEI/IMSI) - Downloads and prompts user to install 3rd party application - Enumerates and transmits list of applications installed on the infected device - Place phone call - Silently download files - Launches browser with pre-defined URL Up to this point, Geinimi infected applications have only appeared in 3rd party application repositories in China and can only be installed by “side loading” the infected applications. Geinimi HAS NOT appeared in the official Android Market. In fact, Geinimi appears to be a number of authentic applications that were pirated from the Android Market, dissasembled, had the Geinimi code packed into the applications and re-assembled. In addition to the sophisticated features of Geinimi infected application, Geinimi also goes to great lengths to attempt to obfuscate and encrypt the malicious behavior in both the Geinimi code and in the communication that occurs. In order to hinder analysis attempts, Geinimi authors encrypted particular strings of the code, using a weak DES cypher. Fortunately, the weak key of “12345678″ was easily identified in the code, allowing for important strings to be decrypted for analysis. The communications between Geinimi infected devices and their controlling servers are also encrypted with the same DES cypher and key as the encrypted strings used. In this scenario, Geinimi attempts to encrypt what would otherwise be clear text HTTP requests to make the traffic appear less conspicuous. The following URL’s have been identified withing Geinimi code as URL’s of interest over port 8080: www.widifu.com www.udaore.com www.frijd.com www.piajesj.com www.qoewsl.com www.weolir.com www.uisoa.com www.riusdu.com www.aiucr.com 117.135.134.185 Initial analysis of Geinimi indicates that there were a handful of applications affected. The Juniper GTC has identifed at least 24 different applications that are infected with Geinimi. The following Android packages are known to be infected by Geinimi code: com.moonage.iTraining – Detected as A.Geinimi.01 com.sgg.sp – Detected as A.Geinimi.02 com.bitlogik.uconnect – Detected as A.Geinimi.03 com.ubermind.ilightr – Detected as A.Geinimi.04 com.outfit7.talkinghippo – Detected as A.Geinimi.05 com.littlekillerz.legendsarcana – Detected as A.Geinimi.07 com.xlabtech.MonsterTruckRally – Detected as A.Geimimi.08 cmp.LocalService – Detected as A.Geinimi.09 jp.co.kaku.spi.fs1006.Paid – Detected as A.Geinimi.10 com.xlabtech.HardcoreDirtBike – Detected as A.Geinimi.11 cmp.netsentry – Detected as A.Geinimi.12 com.dseffects.MonkeyJump2 – Detected as A.Geinimi.13 com.wuzla.game.ScooterHero_Paid – Detected as A.Geinimi.14 com.masshabit.squibble.free – Detected as A.Geinimi.15 signcomsexgirl1.mm – Detected as A.Geinimi.16 redrabbit.CityDefense – Detected as A.Geinimi.17 com.gamevil.bs2010 – Detected as A.Geinimi.18 com.computertimeco.android.alienspresident – Detected as A.Geinimi.19 com.apostek.SlotMachine.paid – Detected as A.Geinimi.20 sex.sexy – Detected as A.Geinimi.21 com.swampy.sexpos – Detected as A.Geinimi.22 com.ericlie.cg5 – Detected as A.Geinimi.23 chaire1.mm – Detected as A.Geinimi.24 As previously mentioned, Geinimi infected applications were not found to have been accessible from the official Android Market. As with all Android application, users must physically install Geinimi infected applications and approve the permissions that are being requested. Android users are encouraged to be especially mindful of the context of each and every application when considering the permissions it is requesting. This is especially true when “side loading” Android applications from 3rd party application repositories.

A.Geinimi.14

Name A.Geinimi.14
Category
Release Date 2011/01/11
Update Number 1

Geinimi is an Android Trojan that has the ability to harvest and transmit personal and device identifying information to remote servers. Being the most sophisticated Android malware to date, Geinimi also introduces botnet capabilities with clear indications that command and control (C&C) functionality could be a part of the Geinimi code base. To date, no evidence of the actual C&C communication has been identified, but the channels are clearly evident during analysis. Geinimi has the following capabilities: - Monitor and Send SMS messages - Delete selected SMS messages - Monitor and send location data - Harvest and send device identifying data (IMEI/IMSI) - Downloads and prompts user to install 3rd party application - Enumerates and transmits list of applications installed on the infected device - Place phone call - Silently download files - Launches browser with pre-defined URL Up to this point, Geinimi infected applications have only appeared in 3rd party application repositories in China and can only be installed by “side loading” the infected applications. Geinimi HAS NOT appeared in the official Android Market. In fact, Geinimi appears to be a number of authentic applications that were pirated from the Android Market, dissasembled, had the Geinimi code packed into the applications and re-assembled. In addition to the sophisticated features of Geinimi infected application, Geinimi also goes to great lengths to attempt to obfuscate and encrypt the malicious behavior in both the Geinimi code and in the communication that occurs. In order to hinder analysis attempts, Geinimi authors encrypted particular strings of the code, using a weak DES cypher. Fortunately, the weak key of “12345678″ was easily identified in the code, allowing for important strings to be decrypted for analysis. The communications between Geinimi infected devices and their controlling servers are also encrypted with the same DES cypher and key as the encrypted strings used. In this scenario, Geinimi attempts to encrypt what would otherwise be clear text HTTP requests to make the traffic appear less conspicuous. The following URL’s have been identified withing Geinimi code as URL’s of interest over port 8080: www.widifu.com www.udaore.com www.frijd.com www.piajesj.com www.qoewsl.com www.weolir.com www.uisoa.com www.riusdu.com www.aiucr.com 117.135.134.185 Initial analysis of Geinimi indicates that there were a handful of applications affected. The Juniper GTC has identifed at least 24 different applications that are infected with Geinimi. The following Android packages are known to be infected by Geinimi code: com.moonage.iTraining – Detected as A.Geinimi.01 com.sgg.sp – Detected as A.Geinimi.02 com.bitlogik.uconnect – Detected as A.Geinimi.03 com.ubermind.ilightr – Detected as A.Geinimi.04 com.outfit7.talkinghippo – Detected as A.Geinimi.05 com.littlekillerz.legendsarcana – Detected as A.Geinimi.07 com.xlabtech.MonsterTruckRally – Detected as A.Geimimi.08 cmp.LocalService – Detected as A.Geinimi.09 jp.co.kaku.spi.fs1006.Paid – Detected as A.Geinimi.10 com.xlabtech.HardcoreDirtBike – Detected as A.Geinimi.11 cmp.netsentry – Detected as A.Geinimi.12 com.dseffects.MonkeyJump2 – Detected as A.Geinimi.13 com.wuzla.game.ScooterHero_Paid – Detected as A.Geinimi.14 com.masshabit.squibble.free – Detected as A.Geinimi.15 signcomsexgirl1.mm – Detected as A.Geinimi.16 redrabbit.CityDefense – Detected as A.Geinimi.17 com.gamevil.bs2010 – Detected as A.Geinimi.18 com.computertimeco.android.alienspresident – Detected as A.Geinimi.19 com.apostek.SlotMachine.paid – Detected as A.Geinimi.20 sex.sexy – Detected as A.Geinimi.21 com.swampy.sexpos – Detected as A.Geinimi.22 com.ericlie.cg5 – Detected as A.Geinimi.23 chaire1.mm – Detected as A.Geinimi.24 As previously mentioned, Geinimi infected applications were not found to have been accessible from the official Android Market. As with all Android application, users must physically install Geinimi infected applications and approve the permissions that are being requested. Android users are encouraged to be especially mindful of the context of each and every application when considering the permissions it is requesting. This is especially true when “side loading” Android applications from 3rd party application repositories.

A.Geinimi.16

Name A.Geinimi.16
Category
Release Date 2011/01/11
Update Number 1

Geinimi is an Android Trojan that has the ability to harvest and transmit personal and device identifying information to remote servers. Being the most sophisticated Android malware to date, Geinimi also introduces botnet capabilities with clear indications that command and control (C&C) functionality could be a part of the Geinimi code base. To date, no evidence of the actual C&C communication has been identified, but the channels are clearly evident during analysis. Geinimi has the following capabilities: - Monitor and Send SMS messages - Delete selected SMS messages - Monitor and send location data - Harvest and send device identifying data (IMEI/IMSI) - Downloads and prompts user to install 3rd party application - Enumerates and transmits list of applications installed on the infected device - Place phone call - Silently download files - Launches browser with pre-defined URL Up to this point, Geinimi infected applications have only appeared in 3rd party application repositories in China and can only be installed by “side loading” the infected applications. Geinimi HAS NOT appeared in the official Android Market. In fact, Geinimi appears to be a number of authentic applications that were pirated from the Android Market, dissasembled, had the Geinimi code packed into the applications and re-assembled. In addition to the sophisticated features of Geinimi infected application, Geinimi also goes to great lengths to attempt to obfuscate and encrypt the malicious behavior in both the Geinimi code and in the communication that occurs. In order to hinder analysis attempts, Geinimi authors encrypted particular strings of the code, using a weak DES cypher. Fortunately, the weak key of “12345678″ was easily identified in the code, allowing for important strings to be decrypted for analysis. The communications between Geinimi infected devices and their controlling servers are also encrypted with the same DES cypher and key as the encrypted strings used. In this scenario, Geinimi attempts to encrypt what would otherwise be clear text HTTP requests to make the traffic appear less conspicuous. The following URL’s have been identified withing Geinimi code as URL’s of interest over port 8080: www.widifu.com www.udaore.com www.frijd.com www.piajesj.com www.qoewsl.com www.weolir.com www.uisoa.com www.riusdu.com www.aiucr.com 117.135.134.185 Initial analysis of Geinimi indicates that there were a handful of applications affected. The Juniper GTC has identifed at least 24 different applications that are infected with Geinimi. The following Android packages are known to be infected by Geinimi code: com.moonage.iTraining – Detected as A.Geinimi.01 com.sgg.sp – Detected as A.Geinimi.02 com.bitlogik.uconnect – Detected as A.Geinimi.03 com.ubermind.ilightr – Detected as A.Geinimi.04 com.outfit7.talkinghippo – Detected as A.Geinimi.05 com.littlekillerz.legendsarcana – Detected as A.Geinimi.07 com.xlabtech.MonsterTruckRally – Detected as A.Geimimi.08 cmp.LocalService – Detected as A.Geinimi.09 jp.co.kaku.spi.fs1006.Paid – Detected as A.Geinimi.10 com.xlabtech.HardcoreDirtBike – Detected as A.Geinimi.11 cmp.netsentry – Detected as A.Geinimi.12 com.dseffects.MonkeyJump2 – Detected as A.Geinimi.13 com.wuzla.game.ScooterHero_Paid – Detected as A.Geinimi.14 com.masshabit.squibble.free – Detected as A.Geinimi.15 signcomsexgirl1.mm – Detected as A.Geinimi.16 redrabbit.CityDefense – Detected as A.Geinimi.17 com.gamevil.bs2010 – Detected as A.Geinimi.18 com.computertimeco.android.alienspresident – Detected as A.Geinimi.19 com.apostek.SlotMachine.paid – Detected as A.Geinimi.20 sex.sexy – Detected as A.Geinimi.21 com.swampy.sexpos – Detected as A.Geinimi.22 com.ericlie.cg5 – Detected as A.Geinimi.23 chaire1.mm – Detected as A.Geinimi.24 As previously mentioned, Geinimi infected applications were not found to have been accessible from the official Android Market. As with all Android application, users must physically install Geinimi infected applications and approve the permissions that are being requested. Android users are encouraged to be especially mindful of the context of each and every application when considering the permissions it is requesting. This is especially true when “side loading” Android applications from 3rd party application repositories.

A.Geinimi.17

Name A.Geinimi.17
Category
Release Date 2011/01/11
Update Number 1

Geinimi is an Android Trojan that has the ability to harvest and transmit personal and device identifying information to remote servers. Being the most sophisticated Android malware to date, Geinimi also introduces botnet capabilities with clear indications that command and control (C&C) functionality could be a part of the Geinimi code base. To date, no evidence of the actual C&C communication has been identified, but the channels are clearly evident during analysis. Geinimi has the following capabilities: - Monitor and Send SMS messages - Delete selected SMS messages - Monitor and send location data - Harvest and send device identifying data (IMEI/IMSI) - Downloads and prompts user to install 3rd party application - Enumerates and transmits list of applications installed on the infected device - Place phone call - Silently download files - Launches browser with pre-defined URL Up to this point, Geinimi infected applications have only appeared in 3rd party application repositories in China and can only be installed by “side loading” the infected applications. Geinimi HAS NOT appeared in the official Android Market. In fact, Geinimi appears to be a number of authentic applications that were pirated from the Android Market, dissasembled, had the Geinimi code packed into the applications and re-assembled. In addition to the sophisticated features of Geinimi infected application, Geinimi also goes to great lengths to attempt to obfuscate and encrypt the malicious behavior in both the Geinimi code and in the communication that occurs. In order to hinder analysis attempts, Geinimi authors encrypted particular strings of the code, using a weak DES cypher. Fortunately, the weak key of “12345678″ was easily identified in the code, allowing for important strings to be decrypted for analysis. The communications between Geinimi infected devices and their controlling servers are also encrypted with the same DES cypher and key as the encrypted strings used. In this scenario, Geinimi attempts to encrypt what would otherwise be clear text HTTP requests to make the traffic appear less conspicuous. The following URL’s have been identified withing Geinimi code as URL’s of interest over port 8080: www.widifu.com www.udaore.com www.frijd.com www.piajesj.com www.qoewsl.com www.weolir.com www.uisoa.com www.riusdu.com www.aiucr.com 117.135.134.185 Initial analysis of Geinimi indicates that there were a handful of applications affected. The Juniper GTC has identifed at least 24 different applications that are infected with Geinimi. The following Android packages are known to be infected by Geinimi code: com.moonage.iTraining – Detected as A.Geinimi.01 com.sgg.sp – Detected as A.Geinimi.02 com.bitlogik.uconnect – Detected as A.Geinimi.03 com.ubermind.ilightr – Detected as A.Geinimi.04 com.outfit7.talkinghippo – Detected as A.Geinimi.05 com.littlekillerz.legendsarcana – Detected as A.Geinimi.07 com.xlabtech.MonsterTruckRally – Detected as A.Geimimi.08 cmp.LocalService – Detected as A.Geinimi.09 jp.co.kaku.spi.fs1006.Paid – Detected as A.Geinimi.10 com.xlabtech.HardcoreDirtBike – Detected as A.Geinimi.11 cmp.netsentry – Detected as A.Geinimi.12 com.dseffects.MonkeyJump2 – Detected as A.Geinimi.13 com.wuzla.game.ScooterHero_Paid – Detected as A.Geinimi.14 com.masshabit.squibble.free – Detected as A.Geinimi.15 signcomsexgirl1.mm – Detected as A.Geinimi.16 redrabbit.CityDefense – Detected as A.Geinimi.17 com.gamevil.bs2010 – Detected as A.Geinimi.18 com.computertimeco.android.alienspresident – Detected as A.Geinimi.19 com.apostek.SlotMachine.paid – Detected as A.Geinimi.20 sex.sexy – Detected as A.Geinimi.21 com.swampy.sexpos – Detected as A.Geinimi.22 com.ericlie.cg5 – Detected as A.Geinimi.23 chaire1.mm – Detected as A.Geinimi.24 As previously mentioned, Geinimi infected applications were not found to have been accessible from the official Android Market. As with all Android application, users must physically install Geinimi infected applications and approve the permissions that are being requested. Android users are encouraged to be especially mindful of the context of each and every application when considering the permissions it is requesting. This is especially true when “side loading” Android applications from 3rd party application repositories.

A.Geinimi.18

Name A.Geinimi.18
Category
Release Date 2011/01/11
Update Number 1

Geinimi is an Android Trojan that has the ability to harvest and transmit personal and device identifying information to remote servers. Being the most sophisticated Android malware to date, Geinimi also introduces botnet capabilities with clear indications that command and control (C&C) functionality could be a part of the Geinimi code base. To date, no evidence of the actual C&C communication has been identified, but the channels are clearly evident during analysis. Geinimi has the following capabilities: - Monitor and Send SMS messages - Delete selected SMS messages - Monitor and send location data - Harvest and send device identifying data (IMEI/IMSI) - Downloads and prompts user to install 3rd party application - Enumerates and transmits list of applications installed on the infected device - Place phone call - Silently download files - Launches browser with pre-defined URL Up to this point, Geinimi infected applications have only appeared in 3rd party application repositories in China and can only be installed by “side loading” the infected applications. Geinimi HAS NOT appeared in the official Android Market. In fact, Geinimi appears to be a number of authentic applications that were pirated from the Android Market, dissasembled, had the Geinimi code packed into the applications and re-assembled. In addition to the sophisticated features of Geinimi infected application, Geinimi also goes to great lengths to attempt to obfuscate and encrypt the malicious behavior in both the Geinimi code and in the communication that occurs. In order to hinder analysis attempts, Geinimi authors encrypted particular strings of the code, using a weak DES cypher. Fortunately, the weak key of “12345678″ was easily identified in the code, allowing for important strings to be decrypted for analysis. The communications between Geinimi infected devices and their controlling servers are also encrypted with the same DES cypher and key as the encrypted strings used. In this scenario, Geinimi attempts to encrypt what would otherwise be clear text HTTP requests to make the traffic appear less conspicuous. The following URL’s have been identified withing Geinimi code as URL’s of interest over port 8080: www.widifu.com www.udaore.com www.frijd.com www.piajesj.com www.qoewsl.com www.weolir.com www.uisoa.com www.riusdu.com www.aiucr.com 117.135.134.185 Initial analysis of Geinimi indicates that there were a handful of applications affected. The Juniper GTC has identifed at least 24 different applications that are infected with Geinimi. The following Android packages are known to be infected by Geinimi code: com.moonage.iTraining – Detected as A.Geinimi.01 com.sgg.sp – Detected as A.Geinimi.02 com.bitlogik.uconnect – Detected as A.Geinimi.03 com.ubermind.ilightr – Detected as A.Geinimi.04 com.outfit7.talkinghippo – Detected as A.Geinimi.05 com.littlekillerz.legendsarcana – Detected as A.Geinimi.07 com.xlabtech.MonsterTruckRally – Detected as A.Geimimi.08 cmp.LocalService – Detected as A.Geinimi.09 jp.co.kaku.spi.fs1006.Paid – Detected as A.Geinimi.10 com.xlabtech.HardcoreDirtBike – Detected as A.Geinimi.11 cmp.netsentry – Detected as A.Geinimi.12 com.dseffects.MonkeyJump2 – Detected as A.Geinimi.13 com.wuzla.game.ScooterHero_Paid – Detected as A.Geinimi.14 com.masshabit.squibble.free – Detected as A.Geinimi.15 signcomsexgirl1.mm – Detected as A.Geinimi.16 redrabbit.CityDefense – Detected as A.Geinimi.17 com.gamevil.bs2010 – Detected as A.Geinimi.18 com.computertimeco.android.alienspresident – Detected as A.Geinimi.19 com.apostek.SlotMachine.paid – Detected as A.Geinimi.20 sex.sexy – Detected as A.Geinimi.21 com.swampy.sexpos – Detected as A.Geinimi.22 com.ericlie.cg5 – Detected as A.Geinimi.23 chaire1.mm – Detected as A.Geinimi.24 As previously mentioned, Geinimi infected applications were not found to have been accessible from the official Android Market. As with all Android application, users must physically install Geinimi infected applications and approve the permissions that are being requested. Android users are encouraged to be especially mindful of the context of each and every application when considering the permissions it is requesting. This is especially true when “side loading” Android applications from 3rd party application repositories.

A.Geinimi.19

Name A.Geinimi.19
Category
Release Date 2011/01/11
Update Number 1

Geinimi is an Android Trojan that has the ability to harvest and transmit personal and device identifying information to remote servers. Being the most sophisticated Android malware to date, Geinimi also introduces botnet capabilities with clear indications that command and control (C&C) functionality could be a part of the Geinimi code base. To date, no evidence of the actual C&C communication has been identified, but the channels are clearly evident during analysis. Geinimi has the following capabilities: - Monitor and Send SMS messages - Delete selected SMS messages - Monitor and send location data - Harvest and send device identifying data (IMEI/IMSI) - Downloads and prompts user to install 3rd party application - Enumerates and transmits list of applications installed on the infected device - Place phone call - Silently download files - Launches browser with pre-defined URL Up to this point, Geinimi infected applications have only appeared in 3rd party application repositories in China and can only be installed by “side loading” the infected applications. Geinimi HAS NOT appeared in the official Android Market. In fact, Geinimi appears to be a number of authentic applications that were pirated from the Android Market, dissasembled, had the Geinimi code packed into the applications and re-assembled. In addition to the sophisticated features of Geinimi infected application, Geinimi also goes to great lengths to attempt to obfuscate and encrypt the malicious behavior in both the Geinimi code and in the communication that occurs. In order to hinder analysis attempts, Geinimi authors encrypted particular strings of the code, using a weak DES cypher. Fortunately, the weak key of “12345678″ was easily identified in the code, allowing for important strings to be decrypted for analysis. The communications between Geinimi infected devices and their controlling servers are also encrypted with the same DES cypher and key as the encrypted strings used. In this scenario, Geinimi attempts to encrypt what would otherwise be clear text HTTP requests to make the traffic appear less conspicuous. The following URL’s have been identified withing Geinimi code as URL’s of interest over port 8080: www.widifu.com www.udaore.com www.frijd.com www.piajesj.com www.qoewsl.com www.weolir.com www.uisoa.com www.riusdu.com www.aiucr.com 117.135.134.185 Initial analysis of Geinimi indicates that there were a handful of applications affected. The Juniper GTC has identifed at least 24 different applications that are infected with Geinimi. The following Android packages are known to be infected by Geinimi code: com.moonage.iTraining – Detected as A.Geinimi.01 com.sgg.sp – Detected as A.Geinimi.02 com.bitlogik.uconnect – Detected as A.Geinimi.03 com.ubermind.ilightr – Detected as A.Geinimi.04 com.outfit7.talkinghippo – Detected as A.Geinimi.05 com.littlekillerz.legendsarcana – Detected as A.Geinimi.07 com.xlabtech.MonsterTruckRally – Detected as A.Geimimi.08 cmp.LocalService – Detected as A.Geinimi.09 jp.co.kaku.spi.fs1006.Paid – Detected as A.Geinimi.10 com.xlabtech.HardcoreDirtBike – Detected as A.Geinimi.11 cmp.netsentry – Detected as A.Geinimi.12 com.dseffects.MonkeyJump2 – Detected as A.Geinimi.13 com.wuzla.game.ScooterHero_Paid – Detected as A.Geinimi.14 com.masshabit.squibble.free – Detected as A.Geinimi.15 signcomsexgirl1.mm – Detected as A.Geinimi.16 redrabbit.CityDefense – Detected as A.Geinimi.17 com.gamevil.bs2010 – Detected as A.Geinimi.18 com.computertimeco.android.alienspresident – Detected as A.Geinimi.19 com.apostek.SlotMachine.paid – Detected as A.Geinimi.20 sex.sexy – Detected as A.Geinimi.21 com.swampy.sexpos – Detected as A.Geinimi.22 com.ericlie.cg5 – Detected as A.Geinimi.23 chaire1.mm – Detected as A.Geinimi.24 As previously mentioned, Geinimi infected applications were not found to have been accessible from the official Android Market. As with all Android application, users must physically install Geinimi infected applications and approve the permissions that are being requested. Android users are encouraged to be especially mindful of the context of each and every application when considering the permissions it is requesting. This is especially true when “side loading” Android applications from 3rd party application repositories.

A.Geinimi.20

Name A.Geinimi.20
Category
Release Date 2011/01/11
Update Number 1

Geinimi is an Android Trojan that has the ability to harvest and transmit personal and device identifying information to remote servers. Being the most sophisticated Android malware to date, Geinimi also introduces botnet capabilities with clear indications that command and control (C&C) functionality could be a part of the Geinimi code base. To date, no evidence of the actual C&C communication has been identified, but the channels are clearly evident during analysis. Geinimi has the following capabilities: - Monitor and Send SMS messages - Delete selected SMS messages - Monitor and send location data - Harvest and send device identifying data (IMEI/IMSI) - Downloads and prompts user to install 3rd party application - Enumerates and transmits list of applications installed on the infected device - Place phone call - Silently download files - Launches browser with pre-defined URL Up to this point, Geinimi infected applications have only appeared in 3rd party application repositories in China and can only be installed by “side loading” the infected applications. Geinimi HAS NOT appeared in the official Android Market. In fact, Geinimi appears to be a number of authentic applications that were pirated from the Android Market, dissasembled, had the Geinimi code packed into the applications and re-assembled. In addition to the sophisticated features of Geinimi infected application, Geinimi also goes to great lengths to attempt to obfuscate and encrypt the malicious behavior in both the Geinimi code and in the communication that occurs. In order to hinder analysis attempts, Geinimi authors encrypted particular strings of the code, using a weak DES cypher. Fortunately, the weak key of “12345678″ was easily identified in the code, allowing for important strings to be decrypted for analysis. The communications between Geinimi infected devices and their controlling servers are also encrypted with the same DES cypher and key as the encrypted strings used. In this scenario, Geinimi attempts to encrypt what would otherwise be clear text HTTP requests to make the traffic appear less conspicuous. The following URL’s have been identified withing Geinimi code as URL’s of interest over port 8080: www.widifu.com www.udaore.com www.frijd.com www.piajesj.com www.qoewsl.com www.weolir.com www.uisoa.com www.riusdu.com www.aiucr.com 117.135.134.185 Initial analysis of Geinimi indicates that there were a handful of applications affected. The Juniper GTC has identifed at least 24 different applications that are infected with Geinimi. The following Android packages are known to be infected by Geinimi code: com.moonage.iTraining – Detected as A.Geinimi.01 com.sgg.sp – Detected as A.Geinimi.02 com.bitlogik.uconnect – Detected as A.Geinimi.03 com.ubermind.ilightr – Detected as A.Geinimi.04 com.outfit7.talkinghippo – Detected as A.Geinimi.05 com.littlekillerz.legendsarcana – Detected as A.Geinimi.07 com.xlabtech.MonsterTruckRally – Detected as A.Geimimi.08 cmp.LocalService – Detected as A.Geinimi.09 jp.co.kaku.spi.fs1006.Paid – Detected as A.Geinimi.10 com.xlabtech.HardcoreDirtBike – Detected as A.Geinimi.11 cmp.netsentry – Detected as A.Geinimi.12 com.dseffects.MonkeyJump2 – Detected as A.Geinimi.13 com.wuzla.game.ScooterHero_Paid – Detected as A.Geinimi.14 com.masshabit.squibble.free – Detected as A.Geinimi.15 signcomsexgirl1.mm – Detected as A.Geinimi.16 redrabbit.CityDefense – Detected as A.Geinimi.17 com.gamevil.bs2010 – Detected as A.Geinimi.18 com.computertimeco.android.alienspresident – Detected as A.Geinimi.19 com.apostek.SlotMachine.paid – Detected as A.Geinimi.20 sex.sexy – Detected as A.Geinimi.21 com.swampy.sexpos – Detected as A.Geinimi.22 com.ericlie.cg5 – Detected as A.Geinimi.23 chaire1.mm – Detected as A.Geinimi.24 As previously mentioned, Geinimi infected applications were not found to have been accessible from the official Android Market. As with all Android application, users must physically install Geinimi infected applications and approve the permissions that are being requested. Android users are encouraged to be especially mindful of the context of each and every application when considering the permissions it is requesting. This is especially true when “side loading” Android applications from 3rd party application repositories.

A.Geinimi.21

Name A.Geinimi.21
Category
Release Date 2011/01/11
Update Number 1

Geinimi is an Android Trojan that has the ability to harvest and transmit personal and device identifying information to remote servers. Being the most sophisticated Android malware to date, Geinimi also introduces botnet capabilities with clear indications that command and control (C&C) functionality could be a part of the Geinimi code base. To date, no evidence of the actual C&C communication has been identified, but the channels are clearly evident during analysis. Geinimi has the following capabilities: - Monitor and Send SMS messages - Delete selected SMS messages - Monitor and send location data - Harvest and send device identifying data (IMEI/IMSI) - Downloads and prompts user to install 3rd party application - Enumerates and transmits list of applications installed on the infected device - Place phone call - Silently download files - Launches browser with pre-defined URL Up to this point, Geinimi infected applications have only appeared in 3rd party application repositories in China and can only be installed by “side loading” the infected applications. Geinimi HAS NOT appeared in the official Android Market. In fact, Geinimi appears to be a number of authentic applications that were pirated from the Android Market, dissasembled, had the Geinimi code packed into the applications and re-assembled. In addition to the sophisticated features of Geinimi infected application, Geinimi also goes to great lengths to attempt to obfuscate and encrypt the malicious behavior in both the Geinimi code and in the communication that occurs. In order to hinder analysis attempts, Geinimi authors encrypted particular strings of the code, using a weak DES cypher. Fortunately, the weak key of “12345678″ was easily identified in the code, allowing for important strings to be decrypted for analysis. The communications between Geinimi infected devices and their controlling servers are also encrypted with the same DES cypher and key as the encrypted strings used. In this scenario, Geinimi attempts to encrypt what would otherwise be clear text HTTP requests to make the traffic appear less conspicuous. The following URL’s have been identified withing Geinimi code as URL’s of interest over port 8080: www.widifu.com www.udaore.com www.frijd.com www.piajesj.com www.qoewsl.com www.weolir.com www.uisoa.com www.riusdu.com www.aiucr.com 117.135.134.185 Initial analysis of Geinimi indicates that there were a handful of applications affected. The Juniper GTC has identifed at least 24 different applications that are infected with Geinimi. The following Android packages are known to be infected by Geinimi code: com.moonage.iTraining – Detected as A.Geinimi.01 com.sgg.sp – Detected as A.Geinimi.02 com.bitlogik.uconnect – Detected as A.Geinimi.03 com.ubermind.ilightr – Detected as A.Geinimi.04 com.outfit7.talkinghippo – Detected as A.Geinimi.05 com.littlekillerz.legendsarcana – Detected as A.Geinimi.07 com.xlabtech.MonsterTruckRally – Detected as A.Geimimi.08 cmp.LocalService – Detected as A.Geinimi.09 jp.co.kaku.spi.fs1006.Paid – Detected as A.Geinimi.10 com.xlabtech.HardcoreDirtBike – Detected as A.Geinimi.11 cmp.netsentry – Detected as A.Geinimi.12 com.dseffects.MonkeyJump2 – Detected as A.Geinimi.13 com.wuzla.game.ScooterHero_Paid – Detected as A.Geinimi.14 com.masshabit.squibble.free – Detected as A.Geinimi.15 signcomsexgirl1.mm – Detected as A.Geinimi.16 redrabbit.CityDefense – Detected as A.Geinimi.17 com.gamevil.bs2010 – Detected as A.Geinimi.18 com.computertimeco.android.alienspresident – Detected as A.Geinimi.19 com.apostek.SlotMachine.paid – Detected as A.Geinimi.20 sex.sexy – Detected as A.Geinimi.21 com.swampy.sexpos – Detected as A.Geinimi.22 com.ericlie.cg5 – Detected as A.Geinimi.23 chaire1.mm – Detected as A.Geinimi.24 As previously mentioned, Geinimi infected applications were not found to have been accessible from the official Android Market. As with all Android application, users must physically install Geinimi infected applications and approve the permissions that are being requested. Android users are encouraged to be especially mindful of the context of each and every application when considering the permissions it is requesting. This is especially true when “side loading” Android applications from 3rd party application repositories.

A.Geinimi.22

Name A.Geinimi.22
Category
Release Date 2011/01/11
Update Number 1

Geinimi is an Android Trojan that has the ability to harvest and transmit personal and device identifying information to remote servers. Being the most sophisticated Android malware to date, Geinimi also introduces botnet capabilities with clear indications that command and control (C&C) functionality could be a part of the Geinimi code base. To date, no evidence of the actual C&C communication has been identified, but the channels are clearly evident during analysis. Geinimi has the following capabilities: - Monitor and Send SMS messages - Delete selected SMS messages - Monitor and send location data - Harvest and send device identifying data (IMEI/IMSI) - Downloads and prompts user to install 3rd party application - Enumerates and transmits list of applications installed on the infected device - Place phone call - Silently download files - Launches browser with pre-defined URL Up to this point, Geinimi infected applications have only appeared in 3rd party application repositories in China and can only be installed by “side loading” the infected applications. Geinimi HAS NOT appeared in the official Android Market. In fact, Geinimi appears to be a number of authentic applications that were pirated from the Android Market, dissasembled, had the Geinimi code packed into the applications and re-assembled. In addition to the sophisticated features of Geinimi infected application, Geinimi also goes to great lengths to attempt to obfuscate and encrypt the malicious behavior in both the Geinimi code and in the communication that occurs. In order to hinder analysis attempts, Geinimi authors encrypted particular strings of the code, using a weak DES cypher. Fortunately, the weak key of “12345678″ was easily identified in the code, allowing for important strings to be decrypted for analysis. The communications between Geinimi infected devices and their controlling servers are also encrypted with the same DES cypher and key as the encrypted strings used. In this scenario, Geinimi attempts to encrypt what would otherwise be clear text HTTP requests to make the traffic appear less conspicuous. The following URL’s have been identified withing Geinimi code as URL’s of interest over port 8080: www.widifu.com www.udaore.com www.frijd.com www.piajesj.com www.qoewsl.com www.weolir.com www.uisoa.com www.riusdu.com www.aiucr.com 117.135.134.185 Initial analysis of Geinimi indicates that there were a handful of applications affected. The Juniper GTC has identifed at least 24 different applications that are infected with Geinimi. The following Android packages are known to be infected by Geinimi code: com.moonage.iTraining – Detected as A.Geinimi.01 com.sgg.sp – Detected as A.Geinimi.02 com.bitlogik.uconnect – Detected as A.Geinimi.03 com.ubermind.ilightr – Detected as A.Geinimi.04 com.outfit7.talkinghippo – Detected as A.Geinimi.05 com.littlekillerz.legendsarcana – Detected as A.Geinimi.07 com.xlabtech.MonsterTruckRally – Detected as A.Geimimi.08 cmp.LocalService – Detected as A.Geinimi.09 jp.co.kaku.spi.fs1006.Paid – Detected as A.Geinimi.10 com.xlabtech.HardcoreDirtBike – Detected as A.Geinimi.11 cmp.netsentry – Detected as A.Geinimi.12 com.dseffects.MonkeyJump2 – Detected as A.Geinimi.13 com.wuzla.game.ScooterHero_Paid – Detected as A.Geinimi.14 com.masshabit.squibble.free – Detected as A.Geinimi.15 signcomsexgirl1.mm – Detected as A.Geinimi.16 redrabbit.CityDefense – Detected as A.Geinimi.17 com.gamevil.bs2010 – Detected as A.Geinimi.18 com.computertimeco.android.alienspresident – Detected as A.Geinimi.19 com.apostek.SlotMachine.paid – Detected as A.Geinimi.20 sex.sexy – Detected as A.Geinimi.21 com.swampy.sexpos – Detected as A.Geinimi.22 com.ericlie.cg5 – Detected as A.Geinimi.23 chaire1.mm – Detected as A.Geinimi.24 As previously mentioned, Geinimi infected applications were not found to have been accessible from the official Android Market. As with all Android application, users must physically install Geinimi infected applications and approve the permissions that are being requested. Android users are encouraged to be especially mindful of the context of each and every application when considering the permissions it is requesting. This is especially true when “side loading” Android applications from 3rd party application repositories.

A.Geinimi.23

Name A.Geinimi.23
Category
Release Date 2011/01/11
Update Number 1

Geinimi is an Android Trojan that has the ability to harvest and transmit personal and device identifying information to remote servers. Being the most sophisticated Android malware to date, Geinimi also introduces botnet capabilities with clear indications that command and control (C&C) functionality could be a part of the Geinimi code base. To date, no evidence of the actual C&C communication has been identified, but the channels are clearly evident during analysis. Geinimi has the following capabilities: - Monitor and Send SMS messages - Delete selected SMS messages - Monitor and send location data - Harvest and send device identifying data (IMEI/IMSI) - Downloads and prompts user to install 3rd party application - Enumerates and transmits list of applications installed on the infected device - Place phone call - Silently download files - Launches browser with pre-defined URL Up to this point, Geinimi infected applications have only appeared in 3rd party application repositories in China and can only be installed by “side loading” the infected applications. Geinimi HAS NOT appeared in the official Android Market. In fact, Geinimi appears to be a number of authentic applications that were pirated from the Android Market, dissasembled, had the Geinimi code packed into the applications and re-assembled. In addition to the sophisticated features of Geinimi infected application, Geinimi also goes to great lengths to attempt to obfuscate and encrypt the malicious behavior in both the Geinimi code and in the communication that occurs. In order to hinder analysis attempts, Geinimi authors encrypted particular strings of the code, using a weak DES cypher. Fortunately, the weak key of “12345678″ was easily identified in the code, allowing for important strings to be decrypted for analysis. The communications between Geinimi infected devices and their controlling servers are also encrypted with the same DES cypher and key as the encrypted strings used. In this scenario, Geinimi attempts to encrypt what would otherwise be clear text HTTP requests to make the traffic appear less conspicuous. The following URL’s have been identified withing Geinimi code as URL’s of interest over port 8080: www.widifu.com www.udaore.com www.frijd.com www.piajesj.com www.qoewsl.com www.weolir.com www.uisoa.com www.riusdu.com www.aiucr.com 117.135.134.185 Initial analysis of Geinimi indicates that there were a handful of applications affected. The Juniper GTC has identifed at least 24 different applications that are infected with Geinimi. The following Android packages are known to be infected by Geinimi code: com.moonage.iTraining – Detected as A.Geinimi.01 com.sgg.sp – Detected as A.Geinimi.02 com.bitlogik.uconnect – Detected as A.Geinimi.03 com.ubermind.ilightr – Detected as A.Geinimi.04 com.outfit7.talkinghippo – Detected as A.Geinimi.05 com.littlekillerz.legendsarcana – Detected as A.Geinimi.07 com.xlabtech.MonsterTruckRally – Detected as A.Geimimi.08 cmp.LocalService – Detected as A.Geinimi.09 jp.co.kaku.spi.fs1006.Paid – Detected as A.Geinimi.10 com.xlabtech.HardcoreDirtBike – Detected as A.Geinimi.11 cmp.netsentry – Detected as A.Geinimi.12 com.dseffects.MonkeyJump2 – Detected as A.Geinimi.13 com.wuzla.game.ScooterHero_Paid – Detected as A.Geinimi.14 com.masshabit.squibble.free – Detected as A.Geinimi.15 signcomsexgirl1.mm – Detected as A.Geinimi.16 redrabbit.CityDefense – Detected as A.Geinimi.17 com.gamevil.bs2010 – Detected as A.Geinimi.18 com.computertimeco.android.alienspresident – Detected as A.Geinimi.19 com.apostek.SlotMachine.paid – Detected as A.Geinimi.20 sex.sexy – Detected as A.Geinimi.21 com.swampy.sexpos – Detected as A.Geinimi.22 com.ericlie.cg5 – Detected as A.Geinimi.23 chaire1.mm – Detected as A.Geinimi.24 As previously mentioned, Geinimi infected applications were not found to have been accessible from the official Android Market. As with all Android application, users must physically install Geinimi infected applications and approve the permissions that are being requested. Android users are encouraged to be especially mindful of the context of each and every application when considering the permissions it is requesting. This is especially true when “side loading” Android applications from 3rd party application repositories.

A.Geinimi.24

Name A.Geinimi.24
Category
Release Date 2011/01/11
Update Number 1

Geinimi is an Android Trojan that has the ability to harvest and transmit personal and device identifying information to remote servers. Being the most sophisticated Android malware to date, Geinimi also introduces botnet capabilities with clear indications that command and control (C&C) functionality could be a part of the Geinimi code base. To date, no evidence of the actual C&C communication has been identified, but the channels are clearly evident during analysis. Geinimi has the following capabilities: - Monitor and Send SMS messages - Delete selected SMS messages - Monitor and send location data - Harvest and send device identifying data (IMEI/IMSI) - Downloads and prompts user to install 3rd party application - Enumerates and transmits list of applications installed on the infected device - Place phone call - Silently download files - Launches browser with pre-defined URL Up to this point, Geinimi infected applications have only appeared in 3rd party application repositories in China and can only be installed by “side loading” the infected applications. Geinimi HAS NOT appeared in the official Android Market. In fact, Geinimi appears to be a number of authentic applications that were pirated from the Android Market, dissasembled, had the Geinimi code packed into the applications and re-assembled. In addition to the sophisticated features of Geinimi infected application, Geinimi also goes to great lengths to attempt to obfuscate and encrypt the malicious behavior in both the Geinimi code and in the communication that occurs. In order to hinder analysis attempts, Geinimi authors encrypted particular strings of the code, using a weak DES cypher. Fortunately, the weak key of “12345678″ was easily identified in the code, allowing for important strings to be decrypted for analysis. The communications between Geinimi infected devices and their controlling servers are also encrypted with the same DES cypher and key as the encrypted strings used. In this scenario, Geinimi attempts to encrypt what would otherwise be clear text HTTP requests to make the traffic appear less conspicuous. The following URL’s have been identified withing Geinimi code as URL’s of interest over port 8080: www.widifu.com www.udaore.com www.frijd.com www.piajesj.com www.qoewsl.com www.weolir.com www.uisoa.com www.riusdu.com www.aiucr.com 117.135.134.185 Initial analysis of Geinimi indicates that there were a handful of applications affected. The Juniper GTC has identifed at least 24 different applications that are infected with Geinimi. The following Android packages are known to be infected by Geinimi code: com.moonage.iTraining – Detected as A.Geinimi.01 com.sgg.sp – Detected as A.Geinimi.02 com.bitlogik.uconnect – Detected as A.Geinimi.03 com.ubermind.ilightr – Detected as A.Geinimi.04 com.outfit7.talkinghippo – Detected as A.Geinimi.05 com.littlekillerz.legendsarcana – Detected as A.Geinimi.07 com.xlabtech.MonsterTruckRally – Detected as A.Geimimi.08 cmp.LocalService – Detected as A.Geinimi.09 jp.co.kaku.spi.fs1006.Paid – Detected as A.Geinimi.10 com.xlabtech.HardcoreDirtBike – Detected as A.Geinimi.11 cmp.netsentry – Detected as A.Geinimi.12 com.dseffects.MonkeyJump2 – Detected as A.Geinimi.13 com.wuzla.game.ScooterHero_Paid – Detected as A.Geinimi.14 com.masshabit.squibble.free – Detected as A.Geinimi.15 signcomsexgirl1.mm – Detected as A.Geinimi.16 redrabbit.CityDefense – Detected as A.Geinimi.17 com.gamevil.bs2010 – Detected as A.Geinimi.18 com.computertimeco.android.alienspresident – Detected as A.Geinimi.19 com.apostek.SlotMachine.paid – Detected as A.Geinimi.20 sex.sexy – Detected as A.Geinimi.21 com.swampy.sexpos – Detected as A.Geinimi.22 com.ericlie.cg5 – Detected as A.Geinimi.23 chaire1.mm – Detected as A.Geinimi.24 As previously mentioned, Geinimi infected applications were not found to have been accessible from the official Android Market. As with all Android application, users must physically install Geinimi infected applications and approve the permissions that are being requested. Android users are encouraged to be especially mindful of the context of each and every application when considering the permissions it is requesting. This is especially true when “side loading” Android applications from 3rd party application repositories.

A.Geinimi.29

Name A.Geinimi.29
Category
Release Date 2011/09/07
Update Number 7

Geinimi is an Android Trojan that has the ability to harvest and transmit personal and device identifying information to remote servers. Being the most sophisticated Android malware to date, Geinimi also introduces botnet capabilities with clear indications that command and control (C&C) functionality could be a part of the Geinimi code base. To date, no evidence of the actual C&C communication has been identified, but the channels are clearly evident during analysis. Geinimi has the following capabilities: - Monitor and Send SMS messages - Delete selected SMS messages - Monitor and send location data - Harvest and send device identifying data (IMEI/IMSI) - Downloads and prompts user to install 3rd party application - Enumerates and transmits list of applications installed on the infected device - Place phone call - Silently download files - Launches browser with pre-defined URL Up to this point, Geinimi infected applications have only appeared in 3rd party application repositories in China and can only be installed by “side loading” the infected applications. Geinimi HAS NOT appeared in the official Android Market. In fact, Geinimi appears to be a number of authentic applications that were pirated from the Android Market, dissasembled, had the Geinimi code packed into the applications and re-assembled. In addition to the sophisticated features of Geinimi infected application, Geinimi also goes to great lengths to attempt to obfuscate and encrypt the malicious behavior in both the Geinimi code and in the communication that occurs. In order to hinder analysis attempts, Geinimi authors encrypted particular strings of the code, using a weak DES cypher. Fortunately, the weak key of “12345678″ was easily identified in the code, allowing for important strings to be decrypted for analysis. The communications between Geinimi infected devices and their controlling servers are also encrypted with the same DES cypher and key as the encrypted strings used. In this scenario, Geinimi attempts to encrypt what would otherwise be clear text HTTP requests to make the traffic appear less conspicuous. The following URL’s have been identified withing Geinimi code as URL’s of interest over port 8080: www.widifu.com www.udaore.com www.frijd.com www.piajesj.com www.qoewsl.com www.weolir.com www.uisoa.com www.riusdu.com www.aiucr.com 117.135.134.185 Initial analysis of Geinimi indicates that there were a handful of applications affected. The Juniper GTC has identifed at least 24 different applications that are infected with Geinimi. The following Android packages are known to be infected by Geinimi code: com.moonage.iTraining – Detected as A.Geinimi.01 com.sgg.sp – Detected as A.Geinimi.02 com.bitlogik.uconnect – Detected as A.Geinimi.03 com.ubermind.ilightr – Detected as A.Geinimi.04 com.outfit7.talkinghippo – Detected as A.Geinimi.05 com.littlekillerz.legendsarcana – Detected as A.Geinimi.07 com.xlabtech.MonsterTruckRally – Detected as A.Geimimi.08 cmp.LocalService – Detected as A.Geinimi.09 jp.co.kaku.spi.fs1006.Paid – Detected as A.Geinimi.10 com.xlabtech.HardcoreDirtBike – Detected as A.Geinimi.11 cmp.netsentry – Detected as A.Geinimi.12 com.dseffects.MonkeyJump2 – Detected as A.Geinimi.13 com.wuzla.game.ScooterHero_Paid – Detected as A.Geinimi.14 com.masshabit.squibble.free – Detected as A.Geinimi.15 signcomsexgirl1.mm – Detected as A.Geinimi.16 redrabbit.CityDefense – Detected as A.Geinimi.17 com.gamevil.bs2010 – Detected as A.Geinimi.18 com.computertimeco.android.alienspresident – Detected as A.Geinimi.19 com.apostek.SlotMachine.paid – Detected as A.Geinimi.20 sex.sexy – Detected as A.Geinimi.21 com.swampy.sexpos – Detected as A.Geinimi.22 com.ericlie.cg5 – Detected as A.Geinimi.23 chaire1.mm – Detected as A.Geinimi.24 As previously mentioned, Geinimi infected applications were not found to have been accessible from the official Android Market. As with all Android application, users must physically install Geinimi infected applications and approve the permissions that are being requested. Android users are encouraged to be especially mindful of the context of each and every application when considering the permissions it is requesting. This is especially true when “side loading” Android applications from 3rd party application repositories.

A.Geinimi.30

Name A.Geinimi.30
Category
Release Date 2011/09/07
Update Number 7

Geinimi is an Android Trojan that has the ability to harvest and transmit personal and device identifying information to remote servers. Being the most sophisticated Android malware to date, Geinimi also introduces botnet capabilities with clear indications that command and control (C&C) functionality could be a part of the Geinimi code base. To date, no evidence of the actual C&C communication has been identified, but the channels are clearly evident during analysis. Geinimi has the following capabilities: - Monitor and Send SMS messages - Delete selected SMS messages - Monitor and send location data - Harvest and send device identifying data (IMEI/IMSI) - Downloads and prompts user to install 3rd party application - Enumerates and transmits list of applications installed on the infected device - Place phone call - Silently download files - Launches browser with pre-defined URL Up to this point, Geinimi infected applications have only appeared in 3rd party application repositories in China and can only be installed by “side loading” the infected applications. Geinimi HAS NOT appeared in the official Android Market. In fact, Geinimi appears to be a number of authentic applications that were pirated from the Android Market, dissasembled, had the Geinimi code packed into the applications and re-assembled. In addition to the sophisticated features of Geinimi infected application, Geinimi also goes to great lengths to attempt to obfuscate and encrypt the malicious behavior in both the Geinimi code and in the communication that occurs. In order to hinder analysis attempts, Geinimi authors encrypted particular strings of the code, using a weak DES cypher. Fortunately, the weak key of “12345678″ was easily identified in the code, allowing for important strings to be decrypted for analysis. The communications between Geinimi infected devices and their controlling servers are also encrypted with the same DES cypher and key as the encrypted strings used. In this scenario, Geinimi attempts to encrypt what would otherwise be clear text HTTP requests to make the traffic appear less conspicuous. The following URL’s have been identified withing Geinimi code as URL’s of interest over port 8080: www.widifu.com www.udaore.com www.frijd.com www.piajesj.com www.qoewsl.com www.weolir.com www.uisoa.com www.riusdu.com www.aiucr.com 117.135.134.185 Initial analysis of Geinimi indicates that there were a handful of applications affected. The Juniper GTC has identifed at least 24 different applications that are infected with Geinimi. The following Android packages are known to be infected by Geinimi code: com.moonage.iTraining – Detected as A.Geinimi.01 com.sgg.sp – Detected as A.Geinimi.02 com.bitlogik.uconnect – Detected as A.Geinimi.03 com.ubermind.ilightr – Detected as A.Geinimi.04 com.outfit7.talkinghippo – Detected as A.Geinimi.05 com.littlekillerz.legendsarcana – Detected as A.Geinimi.07 com.xlabtech.MonsterTruckRally – Detected as A.Geimimi.08 cmp.LocalService – Detected as A.Geinimi.09 jp.co.kaku.spi.fs1006.Paid – Detected as A.Geinimi.10 com.xlabtech.HardcoreDirtBike – Detected as A.Geinimi.11 cmp.netsentry – Detected as A.Geinimi.12 com.dseffects.MonkeyJump2 – Detected as A.Geinimi.13 com.wuzla.game.ScooterHero_Paid – Detected as A.Geinimi.14 com.masshabit.squibble.free – Detected as A.Geinimi.15 signcomsexgirl1.mm – Detected as A.Geinimi.16 redrabbit.CityDefense – Detected as A.Geinimi.17 com.gamevil.bs2010 – Detected as A.Geinimi.18 com.computertimeco.android.alienspresident – Detected as A.Geinimi.19 com.apostek.SlotMachine.paid – Detected as A.Geinimi.20 sex.sexy – Detected as A.Geinimi.21 com.swampy.sexpos – Detected as A.Geinimi.22 com.ericlie.cg5 – Detected as A.Geinimi.23 chaire1.mm – Detected as A.Geinimi.24 As previously mentioned, Geinimi infected applications were not found to have been accessible from the official Android Market. As with all Android application, users must physically install Geinimi infected applications and approve the permissions that are being requested. Android users are encouraged to be especially mindful of the context of each and every application when considering the permissions it is requesting. This is especially true when “side loading” Android applications from 3rd party application repositories.

A.Geinimi.31

Name A.Geinimi.31
Category
Release Date 2011/09/07
Update Number 7

Geinimi is an Android Trojan that has the ability to harvest and transmit personal and device identifying information to remote servers. Being the most sophisticated Android malware to date, Geinimi also introduces botnet capabilities with clear indications that command and control (C&C) functionality could be a part of the Geinimi code base. To date, no evidence of the actual C&C communication has been identified, but the channels are clearly evident during analysis. Geinimi has the following capabilities: - Monitor and Send SMS messages - Delete selected SMS messages - Monitor and send location data - Harvest and send device identifying data (IMEI/IMSI) - Downloads and prompts user to install 3rd party application - Enumerates and transmits list of applications installed on the infected device - Place phone call - Silently download files - Launches browser with pre-defined URL Up to this point, Geinimi infected applications have only appeared in 3rd party application repositories in China and can only be installed by “side loading” the infected applications. Geinimi HAS NOT appeared in the official Android Market. In fact, Geinimi appears to be a number of authentic applications that were pirated from the Android Market, dissasembled, had the Geinimi code packed into the applications and re-assembled. In addition to the sophisticated features of Geinimi infected application, Geinimi also goes to great lengths to attempt to obfuscate and encrypt the malicious behavior in both the Geinimi code and in the communication that occurs. In order to hinder analysis attempts, Geinimi authors encrypted particular strings of the code, using a weak DES cypher. Fortunately, the weak key of “12345678″ was easily identified in the code, allowing for important strings to be decrypted for analysis. The communications between Geinimi infected devices and their controlling servers are also encrypted with the same DES cypher and key as the encrypted strings used. In this scenario, Geinimi attempts to encrypt what would otherwise be clear text HTTP requests to make the traffic appear less conspicuous. The following URL’s have been identified withing Geinimi code as URL’s of interest over port 8080: www.widifu.com www.udaore.com www.frijd.com www.piajesj.com www.qoewsl.com www.weolir.com www.uisoa.com www.riusdu.com www.aiucr.com 117.135.134.185 Initial analysis of Geinimi indicates that there were a handful of applications affected. The Juniper GTC has identifed at least 24 different applications that are infected with Geinimi. The following Android packages are known to be infected by Geinimi code: com.moonage.iTraining – Detected as A.Geinimi.01 com.sgg.sp – Detected as A.Geinimi.02 com.bitlogik.uconnect – Detected as A.Geinimi.03 com.ubermind.ilightr – Detected as A.Geinimi.04 com.outfit7.talkinghippo – Detected as A.Geinimi.05 com.littlekillerz.legendsarcana – Detected as A.Geinimi.07 com.xlabtech.MonsterTruckRally – Detected as A.Geimimi.08 cmp.LocalService – Detected as A.Geinimi.09 jp.co.kaku.spi.fs1006.Paid – Detected as A.Geinimi.10 com.xlabtech.HardcoreDirtBike – Detected as A.Geinimi.11 cmp.netsentry – Detected as A.Geinimi.12 com.dseffects.MonkeyJump2 – Detected as A.Geinimi.13 com.wuzla.game.ScooterHero_Paid – Detected as A.Geinimi.14 com.masshabit.squibble.free – Detected as A.Geinimi.15 signcomsexgirl1.mm – Detected as A.Geinimi.16 redrabbit.CityDefense – Detected as A.Geinimi.17 com.gamevil.bs2010 – Detected as A.Geinimi.18 com.computertimeco.android.alienspresident – Detected as A.Geinimi.19 com.apostek.SlotMachine.paid – Detected as A.Geinimi.20 sex.sexy – Detected as A.Geinimi.21 com.swampy.sexpos – Detected as A.Geinimi.22 com.ericlie.cg5 – Detected as A.Geinimi.23 chaire1.mm – Detected as A.Geinimi.24 As previously mentioned, Geinimi infected applications were not found to have been accessible from the official Android Market. As with all Android application, users must physically install Geinimi infected applications and approve the permissions that are being requested. Android users are encouraged to be especially mindful of the context of each and every application when considering the permissions it is requesting. This is especially true when “side loading” Android applications from 3rd party application repositories.

A.Geinimi.32

Name A.Geinimi.32
Category
Release Date 2011/09/07
Update Number 7

Geinimi is an Android Trojan that has the ability to harvest and transmit personal and device identifying information to remote servers. Being the most sophisticated Android malware to date, Geinimi also introduces botnet capabilities with clear indications that command and control (C&C) functionality could be a part of the Geinimi code base. To date, no evidence of the actual C&C communication has been identified, but the channels are clearly evident during analysis. Geinimi has the following capabilities: - Monitor and Send SMS messages - Delete selected SMS messages - Monitor and send location data - Harvest and send device identifying data (IMEI/IMSI) - Downloads and prompts user to install 3rd party application - Enumerates and transmits list of applications installed on the infected device - Place phone call - Silently download files - Launches browser with pre-defined URL Up to this point, Geinimi infected applications have only appeared in 3rd party application repositories in China and can only be installed by “side loading” the infected applications. Geinimi HAS NOT appeared in the official Android Market. In fact, Geinimi appears to be a number of authentic applications that were pirated from the Android Market, dissasembled, had the Geinimi code packed into the applications and re-assembled. In addition to the sophisticated features of Geinimi infected application, Geinimi also goes to great lengths to attempt to obfuscate and encrypt the malicious behavior in both the Geinimi code and in the communication that occurs. In order to hinder analysis attempts, Geinimi authors encrypted particular strings of the code, using a weak DES cypher. Fortunately, the weak key of “12345678″ was easily identified in the code, allowing for important strings to be decrypted for analysis. The communications between Geinimi infected devices and their controlling servers are also encrypted with the same DES cypher and key as the encrypted strings used. In this scenario, Geinimi attempts to encrypt what would otherwise be clear text HTTP requests to make the traffic appear less conspicuous. The following URL’s have been identified withing Geinimi code as URL’s of interest over port 8080: www.widifu.com www.udaore.com www.frijd.com www.piajesj.com www.qoewsl.com www.weolir.com www.uisoa.com www.riusdu.com www.aiucr.com 117.135.134.185 Initial analysis of Geinimi indicates that there were a handful of applications affected. The Juniper GTC has identifed at least 24 different applications that are infected with Geinimi. The following Android packages are known to be infected by Geinimi code: com.moonage.iTraining – Detected as A.Geinimi.01 com.sgg.sp – Detected as A.Geinimi.02 com.bitlogik.uconnect – Detected as A.Geinimi.03 com.ubermind.ilightr – Detected as A.Geinimi.04 com.outfit7.talkinghippo – Detected as A.Geinimi.05 com.littlekillerz.legendsarcana – Detected as A.Geinimi.07 com.xlabtech.MonsterTruckRally – Detected as A.Geimimi.08 cmp.LocalService – Detected as A.Geinimi.09 jp.co.kaku.spi.fs1006.Paid – Detected as A.Geinimi.10 com.xlabtech.HardcoreDirtBike – Detected as A.Geinimi.11 cmp.netsentry – Detected as A.Geinimi.12 com.dseffects.MonkeyJump2 – Detected as A.Geinimi.13 com.wuzla.game.ScooterHero_Paid – Detected as A.Geinimi.14 com.masshabit.squibble.free – Detected as A.Geinimi.15 signcomsexgirl1.mm – Detected as A.Geinimi.16 redrabbit.CityDefense – Detected as A.Geinimi.17 com.gamevil.bs2010 – Detected as A.Geinimi.18 com.computertimeco.android.alienspresident – Detected as A.Geinimi.19 com.apostek.SlotMachine.paid – Detected as A.Geinimi.20 sex.sexy – Detected as A.Geinimi.21 com.swampy.sexpos – Detected as A.Geinimi.22 com.ericlie.cg5 – Detected as A.Geinimi.23 chaire1.mm – Detected as A.Geinimi.24 As previously mentioned, Geinimi infected applications were not found to have been accessible from the official Android Market. As with all Android application, users must physically install Geinimi infected applications and approve the permissions that are being requested. Android users are encouraged to be especially mindful of the context of each and every application when considering the permissions it is requesting. This is especially true when “side loading” Android applications from 3rd party application repositories.

A.Geinimi.33

Name A.Geinimi.33
Category
Release Date 2011/09/07
Update Number 7

Geinimi is an Android Trojan that has the ability to harvest and transmit personal and device identifying information to remote servers. Being the most sophisticated Android malware to date, Geinimi also introduces botnet capabilities with clear indications that command and control (C&C) functionality could be a part of the Geinimi code base. To date, no evidence of the actual C&C communication has been identified, but the channels are clearly evident during analysis. Geinimi has the following capabilities: - Monitor and Send SMS messages - Delete selected SMS messages - Monitor and send location data - Harvest and send device identifying data (IMEI/IMSI) - Downloads and prompts user to install 3rd party application - Enumerates and transmits list of applications installed on the infected device - Place phone call - Silently download files - Launches browser with pre-defined URL Up to this point, Geinimi infected applications have only appeared in 3rd party application repositories in China and can only be installed by “side loading” the infected applications. Geinimi HAS NOT appeared in the official Android Market. In fact, Geinimi appears to be a number of authentic applications that were pirated from the Android Market, dissasembled, had the Geinimi code packed into the applications and re-assembled. In addition to the sophisticated features of Geinimi infected application, Geinimi also goes to great lengths to attempt to obfuscate and encrypt the malicious behavior in both the Geinimi code and in the communication that occurs. In order to hinder analysis attempts, Geinimi authors encrypted particular strings of the code, using a weak DES cypher. Fortunately, the weak key of “12345678″ was easily identified in the code, allowing for important strings to be decrypted for analysis. The communications between Geinimi infected devices and their controlling servers are also encrypted with the same DES cypher and key as the encrypted strings used. In this scenario, Geinimi attempts to encrypt what would otherwise be clear text HTTP requests to make the traffic appear less conspicuous. The following URL’s have been identified withing Geinimi code as URL’s of interest over port 8080: www.widifu.com www.udaore.com www.frijd.com www.piajesj.com www.qoewsl.com www.weolir.com www.uisoa.com www.riusdu.com www.aiucr.com 117.135.134.185 Initial analysis of Geinimi indicates that there were a handful of applications affected. The Juniper GTC has identifed at least 24 different applications that are infected with Geinimi. The following Android packages are known to be infected by Geinimi code: com.moonage.iTraining – Detected as A.Geinimi.01 com.sgg.sp – Detected as A.Geinimi.02 com.bitlogik.uconnect – Detected as A.Geinimi.03 com.ubermind.ilightr – Detected as A.Geinimi.04 com.outfit7.talkinghippo – Detected as A.Geinimi.05 com.littlekillerz.legendsarcana – Detected as A.Geinimi.07 com.xlabtech.MonsterTruckRally – Detected as A.Geimimi.08 cmp.LocalService – Detected as A.Geinimi.09 jp.co.kaku.spi.fs1006.Paid – Detected as A.Geinimi.10 com.xlabtech.HardcoreDirtBike – Detected as A.Geinimi.11 cmp.netsentry – Detected as A.Geinimi.12 com.dseffects.MonkeyJump2 – Detected as A.Geinimi.13 com.wuzla.game.ScooterHero_Paid – Detected as A.Geinimi.14 com.masshabit.squibble.free – Detected as A.Geinimi.15 signcomsexgirl1.mm – Detected as A.Geinimi.16 redrabbit.CityDefense – Detected as A.Geinimi.17 com.gamevil.bs2010 – Detected as A.Geinimi.18 com.computertimeco.android.alienspresident – Detected as A.Geinimi.19 com.apostek.SlotMachine.paid – Detected as A.Geinimi.20 sex.sexy – Detected as A.Geinimi.21 com.swampy.sexpos – Detected as A.Geinimi.22 com.ericlie.cg5 – Detected as A.Geinimi.23 chaire1.mm – Detected as A.Geinimi.24 As previously mentioned, Geinimi infected applications were not found to have been accessible from the official Android Market. As with all Android application, users must physically install Geinimi infected applications and approve the permissions that are being requested. Android users are encouraged to be especially mindful of the context of each and every application when considering the permissions it is requesting. This is especially true when “side loading” Android applications from 3rd party application repositories.

A.GingerMaster.2

Name A.GingerMaster.2
Category
Release Date 2012/01/27
Update Number 47

GingerMaster is the first Android malware that utilizes a root exploit against Android 2.3 (Gingerbread), unlike previous Android malware variants capable of rooting devices to extend its functionality, which leveraged root exploits against 2.2 versions of Android and below. GingerMaster follows the trend of repackaging its malicious code inside of legitimate applications. Once the trojanized app is installed, it registers a receiver so it can be notified when the system has successfully booted as well as launches a service in the background that collects device identifying information to be uploaded to a remote server. In addition to gathering this device information, GingerMaster infected apps will attempt to leverage the "GingerBreak" root exploit to elevate it to root privileges, as well as attempt to install a root shell into the system partition for use at a later time. After gaining root privileges, GingerMaster attempts to connect to a remote Command and Control (C&C) server, where it will wait for instructions from the bot master. GingerMaster is then able to begin silently downloading and installing additional apps that could extend the functionality of the malware, by executing "pm install" in the root shell that was previously installed.

A.GingerMaster.a

Name A.GingerMaster.a
Category
Release Date 2011/08/31
Update Number 5

GingerMaster is the first Android malware that utilizes a root exploit against Android 2.3 (Gingerbread), unlike previous Android malware variants capable of rooting devices to extend its functionality, which leveraged root exploits against 2.2 versions of Android and below. GingerMaster follows the trend of repackaging its malicious code inside of legitimate applications. Once the trojanized app is installed, it registers a receiver so it can be notified when the system has successfully booted as well as launches a service in the background that collects device identifying information to be uploaded to a remote server. In addition to gathering this device information, GingerMaster infected apps will attempt to leverage the "GingerBreak" root exploit to elevate it to root privileges, as well as attempt to install a root shell into the system partition for use at a later time. After gaining root privileges, GingerMaster attempts to connect to a remote Command and Control (C&C) server, where it will wait for instructions from the bot master. GingerMaster is then able to begin silently downloading and installing additional apps that could extend the functionality of the malware, by executing "pm install" in the root shell that was previously installed.

A.GoldDream.3

Name A.GoldDream.3
Category
Release Date 2011/09/07
Update Number 7

“GoldDream” is Android malware that was found in an app called “Fast Racing”. ”Fast Racing” is a drag racing game that appears to function properly with the malicious code tucked in the background. “Fast Racing” comes with a package name of “com.creativemobi.DragRacing”, and requests permissions above and beyond those that a game would need to operate. Alert users could potentially identify this as a malicious application by observing that it requests the following permissions: - Your Messages - Your Location - Network Communication - Storage - Services that cost you money - Phone Calls We’ve since identified 6 additional applications infected with GoldDream malware. These apps can be found with the following package names: Pure Girls 16 – com.GoldDream.pg03 Pure Girls 16 – com.GoldDream.pg04 Pure Girls 16 – com.GoldDream.pg Forrest Defender – com.droid.game.forestman DevilDom Ninja – com.droidstu.game.devilninja Blood vs Zombie – com.gamelio.DrawSlasher Android applications found to be infected with the GoldDream malware can monitor all inbound and outbound SMS messages and phone calls on the infected mobile device. The malware listens to these communications and captures the phone number associated with the messages or calls. In the case of SMS messages, GoldDream malware also captures the contents of the messages and stores all of the captured data in two different text files on the mobile handset until it receives the command to ship the captured data off to the controlling server.[redacted]phonecall.txt [redacted]sms.txt Once a message or call is received/sent, these files will be created in the /data/data/app_name/files folder on the device GoldDream infected applications also include Command and Control (C&C) capabilities for a commanding server to direct the malware to perform some configured function. Analysis of the malware indicates that the C&C server may be able to tell the infected devices to perform the following functions: - Send SMS messages in background - Make phone calls in the background - Install/un-install applications in the background - Upload a file to remote server

A.HippoSMS

Name A.HippoSMS
Category
Release Date 2012/01/27
Update Number 47

HippoSMS arrives in cracked versions of legitimate applications, targeting Asian users. Once installed, HippoSMS will send SMS messages to premium rate numbers with a message body of "8". It also monitors incoming SMS messages and deletes any incoming messages with starts with "10".

A.HippoSMS.a

Name A.HippoSMS.a
Category
Release Date 2011/09/07
Update Number 7

HippoSMS arrives in cracked versions of legitimate applications, targeting Asian users. Once installed, HippoSMS will send SMS messages to premium rate numbers with a message body of "8". It also monitors incoming SMS messages and deletes any incoming messages with starts with "10".

A.Jifake.gen1

Name A.Jifake.gen1
Category
Release Date 2012/01/27
Update Number 47

Jifake arrives in a pre-download to a Russian modification of the Instant Messaging application JIMM. This pre-download asks the end-user to send SMS messages to a short number (2476), with body "744155jimm" to get the full version. The victim is charged for the cost of that SMS message. Another variant of Jifake sends the SMS to the short number 1899. The SMS has the following body: 1107[APPLICATION_CODE]1[RANDOM NUMBER].4

A.Jifake.gen2

Name A.Jifake.gen2
Category
Release Date 2012/01/27
Update Number 47

Jifake arrives in a pre-download to a Russian modification of the Instant Messaging application JIMM. This pre-download asks the end-user to send SMS messages to a short number (2476), with body "744155jimm" to get the full version. The victim is charged for the cost of that SMS message. Another variant of Jifake sends the SMS to the short number 1899. The SMS has the following body: 1107[APPLICATION_CODE]1[RANDOM NUMBER].4

A.KMin

Name A.KMin
Category
Release Date 2012/01/27
Update Number 47

KMin is a malicious application that affects Android devices. The trojan may pose as an Android app named "KMHome" and attempts to collect the Device ID, Subscriber ID, and current time of the device in order to send to a remote server.

A.Kidlogger.a

Name A.Kidlogger.a
Category
Release Date 2011/09/07
Update Number 7

KidLogger is non-commercial spyware for Android devices. Still existing in the Android Market today, Kid Logger's Market description is as follows: Record phone and user activity into a log file: - Record all calls - SMS text with recipient name , - Wi-fi connections - GSM states (Airmode, Operator name etc.) - SD card usage by USB connection - Record all used Applications - Logs visited web sites (standard browser only). - Log keystrokes typed on onscreen keyboard and clipboard text. - Also records phone coordinates and created photos. - Works hidden in background - password protected Keeps user activity log files for 5 days or Uploads it into your Kidlogger.net account. Anytime You can view the phone activity journal online. After install - restart your phone - and call *123456# to open and activate KidLogger App. If you dont want to restart - install "Soft Keyboard PRO" input method. See "Soft Keyboard PRO" app for details. KidLogger is labeled as spyware because it contains the ability to hide itself from the user. While these types of applications certainly provide a necessary service to parents who would like to be aware of their child's online and mobile activities, it also provides an unauthorized user the ability to illegally monitor an unsuspecting person.

A.KungFu.a

Name A.KungFu.a
Category
Release Date 2011/09/07
Update Number 7

Droid KungFu is Android malware that arrives in repackaged apps that have been pirated and trojanized to include the malicious code that gives it its functionality, inside of alternative markets targeting Chinese-speaking users. Droid KungFun leverages the 'udev' and 'rageagainstthecage' root exploits to silently gain root access to an infected device. Upon installation, of an infected application will register a new service and a new receiver with the device so that the receiver will be notified once the device reboots and it can automatically launch the service in the background. The launched service decrypts the encrypted root exploit payloads and launches the exploits against the device, attempting to elevate to root permissions. Once root has been obtained, Droid KungFu will attempt to collect device information to be sent to a remote server. The following device information is collected: - IMEI Number - Device Model - Android Version Once the malware has collected and transmitted the necessary information to register the device to the remote server, with root privileges on the device, Droid KungFu will attempt to install an additional package onto the device in the background, without the user's consent. The installed app, 'legacy', pretends to be a legitimate Google Search application with the same application icon. 'Legacy' is actually a backdoor, which connects to a remote server in order to receive commands and instructions on what to do next, essentially turning the infected device into a bot.

A.KungFu2.2

Name A.KungFu2.2
Category
Release Date 2012/01/27
Update Number 47

Droid KungFu2 is a variant of the original Droid KungFu malware that was packaged into pirated, trojanized Android applications. Containing much of the same functionality as its predecessor, Droid KungFu2 attempts to obfuscate portions of it's code that were written in Dalvik code (based on Java), and uses native code, instead. It also employs two additional command and control (C&C) domains, whereas its predecessor only uses one C&C domain. These changes were made in such a way as to confuse existing detection methods and to slow down analysis by making it more difficult for researchers to analyze and identify communication and other capabilities of the malware.

A.KungFu2.a

Name A.KungFu2.a
Category
Release Date 2012/01/27
Update Number 47

Droid KungFu2 is a variant of the original Droid KungFu malware that was packaged into pirated, trojanized Android applications. Containing much of the same functionality as its predecessor, Droid KungFu2 attempts to obfuscate portions of it's code that were written in Dalvik code (based on Java), and uses native code, instead. It also employs two additional command and control (C&C) domains, whereas its predecessor only uses one C&C domain. These changes were made in such a way as to confuse existing detection methods and to slow down analysis by making it more difficult for researchers to analyze and identify communication and other capabilities of the malware.

A.KungFu3.a

Name A.KungFu3.a
Category
Release Date 2011/08/31
Update Number 5

Droid KungFu3 is the third variant in the series of Droid KungFun malware affecting Android devices. Just as it's predecessors, Droid KungFu3 arrives in pirated, trojanized applications for Android devices. Droid KungFu3 attempts to go further in its efforts to obfuscate it's true intentions. Where Droid KungFu2 added two additional command and control (C&C) servers and hardcoded them in native code, Droid KungFu3 actually encrypts all three C&C server addresses to add further difficulty to reverse engineering the malware. The main purpose of Droid KungFu3 doesn't change with the subtle variations. Just as with it's predecessors, Droid KungFu3 leverages one of two root exploits to gain root privileges on an infected device. Once root has been obtained, it will attempt to install an embedded APK (Android package), which masquerades as a fake Google Update application. If the embedded applications is successfully installed, it does not display an application icon to the user. In reality, the app that is installed opens a backdoor to the device, which will connect to remote servers for instructions, effectively turning the device into a bot.

A.Lovetrap.1

Name A.Lovetrap.1
Category
Release Date 2012/01/27
Update Number 47

LoveTrap is an Android trojan that sends SMS messages to premium rate numbers. Once installed, LoveTrap retrieves premium rate numbers from a remote server in order to send the SMS messages that will be charged to the mobile user's account. The Trojan will then attempt to go further and block any incoming confirmation SMS messages from any of the premium rate numbers in order to mask its activities.

A.Lovetrap.2

Name A.Lovetrap.2
Category
Release Date 2012/01/27
Update Number 47

LoveTrap is an Android trojan that sends SMS messages to premium rate numbers. Once installed, LoveTrap retrieves premium rate numbers from a remote server in order to send the SMS messages that will be charged to the mobile user's account. The Trojan will then attempt to go further and block any incoming confirmation SMS messages from any of the premium rate numbers in order to mask its activities.

A.Lovetrap.3

Name A.Lovetrap.3
Category
Release Date 2012/01/27
Update Number 47

LoveTrap is an Android trojan that sends SMS messages to premium rate numbers. Once installed, LoveTrap retrieves premium rate numbers from a remote server in order to send the SMS messages that will be charged to the mobile user's account. The Trojan will then attempt to go further and block any incoming confirmation SMS messages from any of the premium rate numbers in order to mask its activities.

A.MNauten.gen

Name A.MNauten.gen
Category
Release Date 2010/10/05
Update Number 1

Mobinauten SMS Spy exists in the Android Market and is described as an application that can assist a user in finding a lost or stolen device. SMS Spy is being labeled as spyware because it hides itself fom the user and does not insert an application icon in the application drawer on the device. SMS Spy arrives with a package name of “de.mobinauten.smsspy” with an application name of “SMS Spy”. SMS Spy requires that an attacker send an SMS message to the device, with a pre-configured message of “How are you???” The located device will respond to the sender with 3 SMS messages. The 1st confirms receipt of the the locate message. The 2nd replies with the GPS coordinates and address of the device. The 3rd reply contains a URL that links to a Google Map of the device’s location. SMS Spy gives the user the option of hiding the incoming “locate” SMS message. In this case, a separate contact must be created on the target device with the surname listed as “systemnumber” with the rest of the information blank. By creating this “systemnumber” contact on the target device, SMS Spy will delete a properly constructed locate message and will modify the message that is sent to system notification to be “Internal Service – SMS Database optimized and compressed” SMS Spy could certainly be considered a useful application, if used properly. However, since it takes measures to hide itself from the user and could allow an attacker to obfuscate the incoming locate message, it will be labeled as Android spyware so the user can make an informed decision of whether the application should remain on the device.

A.NickiSpy.a

Name A.NickiSpy.a
Category
Release Date 2011/08/31
Update Number 5

NickySpy is a malicious program that affects Android devices. NickySpy arrives as an app named "Android System Manager", but really only collects information about the device and sends it to the a remote server. NickySpy is capable of capturing the following information: Voice calls SMS messages GPS location information International Mobile Equipment Identity IP address The malware stores the voice call data on the SD card in a folder named '/sdcard/shangzhou/callrecord', and creates a timer event to initiate data collection and upload these details to the remote server.

A.NickiSpy.b

Name A.NickiSpy.b
Category
Release Date 2011/08/31
Update Number 5

NickySpy is a malicious program that affects Android devices. NickySpy arrives as an app named "Android System Manager", but really only collects information about the device and sends it to the a remote server. NickySpy is capable of capturing the following information: Voice calls SMS messages GPS location information International Mobile Equipment Identity IP address The malware stores the voice call data on the SD card in a folder named '/sdcard/shangzhou/callrecord', and creates a timer event to initiate data collection and upload these details to the remote server.

A.PJApp.1

Name A.PJApp.1
Category
Release Date 2011/03/09
Update Number 1

PJApps is typically found in Android applications that have been pirated from the official Android Market, deconstructed, packed with malicious code, and then passed off as legitimate apps in 3rd party, Chinese app stores. When the Trojan is executed, it requests permissions to perform the following actions: - Open network sockets - Send and monitor incoming SMS messages - Read and write to the user’s browsing history and bookmarks - Install packages - Write to external storage - Read the phone’s state (i.e. out of service, radio off, etc) It then creates a service that runs in the background. The threat launcher is triggered whenever the reception signal of the device changes. When the service is started it tries to register itself using the following URL: http://mobile.meego91.com/mm.do?..[PARAMETERS] Note: [PARAMETERS] is a variable that contains the following information from the device - IMEI - DeviceID - Line Number - Subscriber ID - SIM serial number The threat may send a message to a mobile number controlled by the attackers with the infected device’s IMEI number. The mobile number where this message is sent to is obtained from the following URL: http://log.meego91.com:9033/android.log?[PARAMETERS] The threat downloads commands from the following location: http://xml.meego91.com:8118/push/newandroidxml/… The commands are enclosed within an .xml file, and include the following commands: Note- This command is most probably meant to be used to send text messages to premium-rate numbers. A mobile number and content have to be specified, and two additional actions can be performed: blacklisting—If specified, the mobile’s number will be sent to a remote server to check whether it has been blacklisted, in which case the message won’t be sent. The URL of the service has to be sent as a parameter to the command and the blacklist check will be performed issuing a request with the following format: ($blacklist_url) + “/?tel=” + mobilenumber response blocking—Android.Pjapps also listens for incoming messages, this allows the note command to specify rules to drop inbound messages if certain conditions are met, so the user doesn’t read them. Beginning and end-of-message strings are among the supported filters. push- This command performs SMS-spamming and requires the following parameters: —Content of the text message —A URL to add at the end of the message contents —Mobile numbers to send the text to, separated by ‘#’ soft- This command is used to install packages on to the compromised device. The packages are downloaded from a remote URL that has to be sent along with the command as a parameter. window- This command makes the mobile navigate to a given website. Android.Pjapps has a preference of which browser to use, checking for the presence of the following browsers: com.uc.browser com.tencent.mtt com.opera.mini.android mobi.mgeek.TunnyBrowser com.skyfire.browser com.kolbysoft.steel com.android.browser android.paojiao.cn ct2.paojiao.cn g3g3.cn mark- The mark command is used to add bookmarks to the compromised device. When the service is first launched, Android.Pjapps may also, by default, add the following bookmarks to the device: xbox- This command has been found in Android.Pjapps parsing code but it seems to be unimplemented.

A.PJApp.2

Name A.PJApp.2
Category
Release Date 2011/03/09
Update Number 1

PJApps is typically found in Android applications that have been pirated from the official Android Market, deconstructed, packed with malicious code, and then passed off as legitimate apps in 3rd party, Chinese app stores. When the Trojan is executed, it requests permissions to perform the following actions: - Open network sockets - Send and monitor incoming SMS messages - Read and write to the user’s browsing history and bookmarks - Install packages - Write to external storage - Read the phone’s state (i.e. out of service, radio off, etc) It then creates a service that runs in the background. The threat launcher is triggered whenever the reception signal of the device changes. When the service is started it tries to register itself using the following URL: http://mobile.meego91.com/mm.do?..[PARAMETERS] Note: [PARAMETERS] is a variable that contains the following information from the device - IMEI - DeviceID - Line Number - Subscriber ID - SIM serial number The threat may send a message to a mobile number controlled by the attackers with the infected device’s IMEI number. The mobile number where this message is sent to is obtained from the following URL: http://log.meego91.com:9033/android.log?[PARAMETERS] The threat downloads commands from the following location: http://xml.meego91.com:8118/push/newandroidxml/… The commands are enclosed within an .xml file, and include the following commands: Note- This command is most probably meant to be used to send text messages to premium-rate numbers. A mobile number and content have to be specified, and two additional actions can be performed: blacklisting—If specified, the mobile’s number will be sent to a remote server to check whether it has been blacklisted, in which case the message won’t be sent. The URL of the service has to be sent as a parameter to the command and the blacklist check will be performed issuing a request with the following format: ($blacklist_url) + “/?tel=” + mobilenumber response blocking—Android.Pjapps also listens for incoming messages, this allows the note command to specify rules to drop inbound messages if certain conditions are met, so the user doesn’t read them. Beginning and end-of-message strings are among the supported filters. push- This command performs SMS-spamming and requires the following parameters: —Content of the text message —A URL to add at the end of the message contents —Mobile numbers to send the text to, separated by ‘#’ soft- This command is used to install packages on to the compromised device. The packages are downloaded from a remote URL that has to be sent along with the command as a parameter. window- This command makes the mobile navigate to a given website. Android.Pjapps has a preference of which browser to use, checking for the presence of the following browsers: com.uc.browser com.tencent.mtt com.opera.mini.android mobi.mgeek.TunnyBrowser com.skyfire.browser com.kolbysoft.steel com.android.browser android.paojiao.cn ct2.paojiao.cn g3g3.cn mark- The mark command is used to add bookmarks to the compromised device. When the service is first launched, Android.Pjapps may also, by default, add the following bookmarks to the device: xbox- This command has been found in Android.Pjapps parsing code but it seems to be unimplemented.

A.PJApp.3

Name A.PJApp.3
Category
Release Date 2011/03/09
Update Number 1

PJApps is typically found in Android applications that have been pirated from the official Android Market, deconstructed, packed with malicious code, and then passed off as legitimate apps in 3rd party, Chinese app stores. When the Trojan is executed, it requests permissions to perform the following actions: - Open network sockets - Send and monitor incoming SMS messages - Read and write to the user’s browsing history and bookmarks - Install packages - Write to external storage - Read the phone’s state (i.e. out of service, radio off, etc) It then creates a service that runs in the background. The threat launcher is triggered whenever the reception signal of the device changes. When the service is started it tries to register itself using the following URL: http://mobile.meego91.com/mm.do?..[PARAMETERS] Note: [PARAMETERS] is a variable that contains the following information from the device - IMEI - DeviceID - Line Number - Subscriber ID - SIM serial number The threat may send a message to a mobile number controlled by the attackers with the infected device’s IMEI number. The mobile number where this message is sent to is obtained from the following URL: http://log.meego91.com:9033/android.log?[PARAMETERS] The threat downloads commands from the following location: http://xml.meego91.com:8118/push/newandroidxml/… The commands are enclosed within an .xml file, and include the following commands: Note- This command is most probably meant to be used to send text messages to premium-rate numbers. A mobile number and content have to be specified, and two additional actions can be performed: blacklisting—If specified, the mobile’s number will be sent to a remote server to check whether it has been blacklisted, in which case the message won’t be sent. The URL of the service has to be sent as a parameter to the command and the blacklist check will be performed issuing a request with the following format: ($blacklist_url) + “/?tel=” + mobilenumber response blocking—Android.Pjapps also listens for incoming messages, this allows the note command to specify rules to drop inbound messages if certain conditions are met, so the user doesn’t read them. Beginning and end-of-message strings are among the supported filters. push- This command performs SMS-spamming and requires the following parameters: —Content of the text message —A URL to add at the end of the message contents —Mobile numbers to send the text to, separated by ‘#’ soft- This command is used to install packages on to the compromised device. The packages are downloaded from a remote URL that has to be sent along with the command as a parameter. window- This command makes the mobile navigate to a given website. Android.Pjapps has a preference of which browser to use, checking for the presence of the following browsers: com.uc.browser com.tencent.mtt com.opera.mini.android mobi.mgeek.TunnyBrowser com.skyfire.browser com.kolbysoft.steel com.android.browser android.paojiao.cn ct2.paojiao.cn g3g3.cn mark- The mark command is used to add bookmarks to the compromised device. When the service is first launched, Android.Pjapps may also, by default, add the following bookmarks to the device: xbox- This command has been found in Android.Pjapps parsing code but it seems to be unimplemented.

A.PJApp.4

Name A.PJApp.4
Category
Release Date 2011/03/09
Update Number 1

PJApps is typically found in Android applications that have been pirated from the official Android Market, deconstructed, packed with malicious code, and then passed off as legitimate apps in 3rd party, Chinese app stores. When the Trojan is executed, it requests permissions to perform the following actions: - Open network sockets - Send and monitor incoming SMS messages - Read and write to the user’s browsing history and bookmarks - Install packages - Write to external storage - Read the phone’s state (i.e. out of service, radio off, etc) It then creates a service that runs in the background. The threat launcher is triggered whenever the reception signal of the device changes. When the service is started it tries to register itself using the following URL: http://mobile.meego91.com/mm.do?..[PARAMETERS] Note: [PARAMETERS] is a variable that contains the following information from the device - IMEI - DeviceID - Line Number - Subscriber ID - SIM serial number The threat may send a message to a mobile number controlled by the attackers with the infected device’s IMEI number. The mobile number where this message is sent to is obtained from the following URL: http://log.meego91.com:9033/android.log?[PARAMETERS] The threat downloads commands from the following location: http://xml.meego91.com:8118/push/newandroidxml/… The commands are enclosed within an .xml file, and include the following commands: Note- This command is most probably meant to be used to send text messages to premium-rate numbers. A mobile number and content have to be specified, and two additional actions can be performed: blacklisting—If specified, the mobile’s number will be sent to a remote server to check whether it has been blacklisted, in which case the message won’t be sent. The URL of the service has to be sent as a parameter to the command and the blacklist check will be performed issuing a request with the following format: ($blacklist_url) + “/?tel=” + mobilenumber response blocking—Android.Pjapps also listens for incoming messages, this allows the note command to specify rules to drop inbound messages if certain conditions are met, so the user doesn’t read them. Beginning and end-of-message strings are among the supported filters. push- This command performs SMS-spamming and requires the following parameters: —Content of the text message —A URL to add at the end of the message contents —Mobile numbers to send the text to, separated by ‘#’ soft- This command is used to install packages on to the compromised device. The packages are downloaded from a remote URL that has to be sent along with the command as a parameter. window- This command makes the mobile navigate to a given website. Android.Pjapps has a preference of which browser to use, checking for the presence of the following browsers: com.uc.browser com.tencent.mtt com.opera.mini.android mobi.mgeek.TunnyBrowser com.skyfire.browser com.kolbysoft.steel com.android.browser android.paojiao.cn ct2.paojiao.cn g3g3.cn mark- The mark command is used to add bookmarks to the compromised device. When the service is first launched, Android.Pjapps may also, by default, add the following bookmarks to the device: xbox- This command has been found in Android.Pjapps parsing code but it seems to be unimplemented.

A.PJApp.5

Name A.PJApp.5
Category
Release Date 2011/03/09
Update Number 1

PJApps is typically found in Android applications that have been pirated from the official Android Market, deconstructed, packed with malicious code, and then passed off as legitimate apps in 3rd party, Chinese app stores. When the Trojan is executed, it requests permissions to perform the following actions: - Open network sockets - Send and monitor incoming SMS messages - Read and write to the user’s browsing history and bookmarks - Install packages - Write to external storage - Read the phone’s state (i.e. out of service, radio off, etc) It then creates a service that runs in the background. The threat launcher is triggered whenever the reception signal of the device changes. When the service is started it tries to register itself using the following URL: http://mobile.meego91.com/mm.do?..[PARAMETERS] Note: [PARAMETERS] is a variable that contains the following information from the device - IMEI - DeviceID - Line Number - Subscriber ID - SIM serial number The threat may send a message to a mobile number controlled by the attackers with the infected device’s IMEI number. The mobile number where this message is sent to is obtained from the following URL: http://log.meego91.com:9033/android.log?[PARAMETERS] The threat downloads commands from the following location: http://xml.meego91.com:8118/push/newandroidxml/… The commands are enclosed within an .xml file, and include the following commands: Note- This command is most probably meant to be used to send text messages to premium-rate numbers. A mobile number and content have to be specified, and two additional actions can be performed: blacklisting—If specified, the mobile’s number will be sent to a remote server to check whether it has been blacklisted, in which case the message won’t be sent. The URL of the service has to be sent as a parameter to the command and the blacklist check will be performed issuing a request with the following format: ($blacklist_url) + “/?tel=” + mobilenumber response blocking—Android.Pjapps also listens for incoming messages, this allows the note command to specify rules to drop inbound messages if certain conditions are met, so the user doesn’t read them. Beginning and end-of-message strings are among the supported filters. push- This command performs SMS-spamming and requires the following parameters: —Content of the text message —A URL to add at the end of the message contents —Mobile numbers to send the text to, separated by ‘#’ soft- This command is used to install packages on to the compromised device. The packages are downloaded from a remote URL that has to be sent along with the command as a parameter. window- This command makes the mobile navigate to a given website. Android.Pjapps has a preference of which browser to use, checking for the presence of the following browsers: com.uc.browser com.tencent.mtt com.opera.mini.android mobi.mgeek.TunnyBrowser com.skyfire.browser com.kolbysoft.steel com.android.browser android.paojiao.cn ct2.paojiao.cn g3g3.cn mark- The mark command is used to add bookmarks to the compromised device. When the service is first launched, Android.Pjapps may also, by default, add the following bookmarks to the device: xbox- This command has been found in Android.Pjapps parsing code but it seems to be unimplemented.

A.PJApp.6

Name A.PJApp.6
Category
Release Date 2011/03/09
Update Number 1

PJApps is typically found in Android applications that have been pirated from the official Android Market, deconstructed, packed with malicious code, and then passed off as legitimate apps in 3rd party, Chinese app stores. When the Trojan is executed, it requests permissions to perform the following actions: - Open network sockets - Send and monitor incoming SMS messages - Read and write to the user’s browsing history and bookmarks - Install packages - Write to external storage - Read the phone’s state (i.e. out of service, radio off, etc) It then creates a service that runs in the background. The threat launcher is triggered whenever the reception signal of the device changes. When the service is started it tries to register itself using the following URL: http://mobile.meego91.com/mm.do?..[PARAMETERS] Note: [PARAMETERS] is a variable that contains the following information from the device - IMEI - DeviceID - Line Number - Subscriber ID - SIM serial number The threat may send a message to a mobile number controlled by the attackers with the infected device’s IMEI number. The mobile number where this message is sent to is obtained from the following URL: http://log.meego91.com:9033/android.log?[PARAMETERS] The threat downloads commands from the following location: http://xml.meego91.com:8118/push/newandroidxml/… The commands are enclosed within an .xml file, and include the following commands: Note- This command is most probably meant to be used to send text messages to premium-rate numbers. A mobile number and content have to be specified, and two additional actions can be performed: blacklisting—If specified, the mobile’s number will be sent to a remote server to check whether it has been blacklisted, in which case the message won’t be sent. The URL of the service has to be sent as a parameter to the command and the blacklist check will be performed issuing a request with the following format: ($blacklist_url) + “/?tel=” + mobilenumber response blocking—Android.Pjapps also listens for incoming messages, this allows the note command to specify rules to drop inbound messages if certain conditions are met, so the user doesn’t read them. Beginning and end-of-message strings are among the supported filters. push- This command performs SMS-spamming and requires the following parameters: —Content of the text message —A URL to add at the end of the message contents —Mobile numbers to send the text to, separated by ‘#’ soft- This command is used to install packages on to the compromised device. The packages are downloaded from a remote URL that has to be sent along with the command as a parameter. window- This command makes the mobile navigate to a given website. Android.Pjapps has a preference of which browser to use, checking for the presence of the following browsers: com.uc.browser com.tencent.mtt com.opera.mini.android mobi.mgeek.TunnyBrowser com.skyfire.browser com.kolbysoft.steel com.android.browser android.paojiao.cn ct2.paojiao.cn g3g3.cn mark- The mark command is used to add bookmarks to the compromised device. When the service is first launched, Android.Pjapps may also, by default, add the following bookmarks to the device: xbox- This command has been found in Android.Pjapps parsing code but it seems to be unimplemented.

A.PJApp.7

Name A.PJApp.7
Category
Release Date 2011/03/09
Update Number 1

PJApps is typically found in Android applications that have been pirated from the official Android Market, deconstructed, packed with malicious code, and then passed off as legitimate apps in 3rd party, Chinese app stores. When the Trojan is executed, it requests permissions to perform the following actions: - Open network sockets - Send and monitor incoming SMS messages - Read and write to the user’s browsing history and bookmarks - Install packages - Write to external storage - Read the phone’s state (i.e. out of service, radio off, etc) It then creates a service that runs in the background. The threat launcher is triggered whenever the reception signal of the device changes. When the service is started it tries to register itself using the following URL: http://mobile.meego91.com/mm.do?..[PARAMETERS] Note: [PARAMETERS] is a variable that contains the following information from the device - IMEI - DeviceID - Line Number - Subscriber ID - SIM serial number The threat may send a message to a mobile number controlled by the attackers with the infected device’s IMEI number. The mobile number where this message is sent to is obtained from the following URL: http://log.meego91.com:9033/android.log?[PARAMETERS] The threat downloads commands from the following location: http://xml.meego91.com:8118/push/newandroidxml/… The commands are enclosed within an .xml file, and include the following commands: Note- This command is most probably meant to be used to send text messages to premium-rate numbers. A mobile number and content have to be specified, and two additional actions can be performed: blacklisting—If specified, the mobile’s number will be sent to a remote server to check whether it has been blacklisted, in which case the message won’t be sent. The URL of the service has to be sent as a parameter to the command and the blacklist check will be performed issuing a request with the following format: ($blacklist_url) + “/?tel=” + mobilenumber response blocking—Android.Pjapps also listens for incoming messages, this allows the note command to specify rules to drop inbound messages if certain conditions are met, so the user doesn’t read them. Beginning and end-of-message strings are among the supported filters. push- This command performs SMS-spamming and requires the following parameters: —Content of the text message —A URL to add at the end of the message contents —Mobile numbers to send the text to, separated by ‘#’ soft- This command is used to install packages on to the compromised device. The packages are downloaded from a remote URL that has to be sent along with the command as a parameter. window- This command makes the mobile navigate to a given website. Android.Pjapps has a preference of which browser to use, checking for the presence of the following browsers: com.uc.browser com.tencent.mtt com.opera.mini.android mobi.mgeek.TunnyBrowser com.skyfire.browser com.kolbysoft.steel com.android.browser android.paojiao.cn ct2.paojiao.cn g3g3.cn mark- The mark command is used to add bookmarks to the compromised device. When the service is first launched, Android.Pjapps may also, by default, add the following bookmarks to the device: xbox- This command has been found in Android.Pjapps parsing code but it seems to be unimplemented.

A.PJApp.8

Name A.PJApp.8
Category
Release Date 2011/03/29
Update Number 1

PJApps is typically found in Android applications that have been pirated from the official Android Market, deconstructed, packed with malicious code, and then passed off as legitimate apps in 3rd party, Chinese app stores. When the Trojan is executed, it requests permissions to perform the following actions: - Open network sockets - Send and monitor incoming SMS messages - Read and write to the user’s browsing history and bookmarks - Install packages - Write to external storage - Read the phone’s state (i.e. out of service, radio off, etc) It then creates a service that runs in the background. The threat launcher is triggered whenever the reception signal of the device changes. When the service is started it tries to register itself using the following URL: http://mobile.meego91.com/mm.do?..[PARAMETERS] Note: [PARAMETERS] is a variable that contains the following information from the device - IMEI - DeviceID - Line Number - Subscriber ID - SIM serial number The threat may send a message to a mobile number controlled by the attackers with the infected device’s IMEI number. The mobile number where this message is sent to is obtained from the following URL: http://log.meego91.com:9033/android.log?[PARAMETERS] The threat downloads commands from the following location: http://xml.meego91.com:8118/push/newandroidxml/… The commands are enclosed within an .xml file, and include the following commands: Note- This command is most probably meant to be used to send text messages to premium-rate numbers. A mobile number and content have to be specified, and two additional actions can be performed: blacklisting—If specified, the mobile’s number will be sent to a remote server to check whether it has been blacklisted, in which case the message won’t be sent. The URL of the service has to be sent as a parameter to the command and the blacklist check will be performed issuing a request with the following format: ($blacklist_url) + “/?tel=” + mobilenumber response blocking—Android.Pjapps also listens for incoming messages, this allows the note command to specify rules to drop inbound messages if certain conditions are met, so the user doesn’t read them. Beginning and end-of-message strings are among the supported filters. push- This command performs SMS-spamming and requires the following parameters: —Content of the text message —A URL to add at the end of the message contents —Mobile numbers to send the text to, separated by ‘#’ soft- This command is used to install packages on to the compromised device. The packages are downloaded from a remote URL that has to be sent along with the command as a parameter. window- This command makes the mobile navigate to a given website. Android.Pjapps has a preference of which browser to use, checking for the presence of the following browsers: com.uc.browser com.tencent.mtt com.opera.mini.android mobi.mgeek.TunnyBrowser com.skyfire.browser com.kolbysoft.steel com.android.browser android.paojiao.cn ct2.paojiao.cn g3g3.cn mark- The mark command is used to add bookmarks to the compromised device. When the service is first launched, Android.Pjapps may also, by default, add the following bookmarks to the device: xbox- This command has been found in Android.Pjapps parsing code but it seems to be unimplemented.

A.PJApp.9

Name A.PJApp.9
Category
Release Date 2011/03/29
Update Number 1

PJApps is typically found in Android applications that have been pirated from the official Android Market, deconstructed, packed with malicious code, and then passed off as legitimate apps in 3rd party, Chinese app stores. When the Trojan is executed, it requests permissions to perform the following actions: - Open network sockets - Send and monitor incoming SMS messages - Read and write to the user’s browsing history and bookmarks - Install packages - Write to external storage - Read the phone’s state (i.e. out of service, radio off, etc) It then creates a service that runs in the background. The threat launcher is triggered whenever the reception signal of the device changes. When the service is started it tries to register itself using the following URL: http://mobile.meego91.com/mm.do?..[PARAMETERS] Note: [PARAMETERS] is a variable that contains the following information from the device - IMEI - DeviceID - Line Number - Subscriber ID - SIM serial number The threat may send a message to a mobile number controlled by the attackers with the infected device’s IMEI number. The mobile number where this message is sent to is obtained from the following URL: http://log.meego91.com:9033/android.log?[PARAMETERS] The threat downloads commands from the following location: http://xml.meego91.com:8118/push/newandroidxml/… The commands are enclosed within an .xml file, and include the following commands: Note- This command is most probably meant to be used to send text messages to premium-rate numbers. A mobile number and content have to be specified, and two additional actions can be performed: blacklisting—If specified, the mobile’s number will be sent to a remote server to check whether it has been blacklisted, in which case the message won’t be sent. The URL of the service has to be sent as a parameter to the command and the blacklist check will be performed issuing a request with the following format: ($blacklist_url) + “/?tel=” + mobilenumber response blocking—Android.Pjapps also listens for incoming messages, this allows the note command to specify rules to drop inbound messages if certain conditions are met, so the user doesn’t read them. Beginning and end-of-message strings are among the supported filters. push- This command performs SMS-spamming and requires the following parameters: —Content of the text message —A URL to add at the end of the message contents —Mobile numbers to send the text to, separated by ‘#’ soft- This command is used to install packages on to the compromised device. The packages are downloaded from a remote URL that has to be sent along with the command as a parameter. window- This command makes the mobile navigate to a given website. Android.Pjapps has a preference of which browser to use, checking for the presence of the following browsers: com.uc.browser com.tencent.mtt com.opera.mini.android mobi.mgeek.TunnyBrowser com.skyfire.browser com.kolbysoft.steel com.android.browser android.paojiao.cn ct2.paojiao.cn g3g3.cn mark- The mark command is used to add bookmarks to the compromised device. When the service is first launched, Android.Pjapps may also, by default, add the following bookmarks to the device: xbox- This command has been found in Android.Pjapps parsing code but it seems to be unimplemented.

A.PirateText.a

Name A.PirateText.a
Category
Release Date 2011/03/29
Update Number 1

PirateText is a pirated version of a top rated Android application named "Walk and Text". The official developers of "Walk and Text" released a new version of their application to the Android Market and within hours it was pirated from the Market and had malicious code grafted into the package and was redistributed as the legitimate version in third part application stores. The version that was pirated from the Market was version 1.3.6. The current Market version is 1.5.3. The version that has the malicious code is version 1.3.7. As far as we can tell, version 1.3.7 is not an official update to the legitimate application that was pushed out from Incorporate Apps. It looks like version 1.3.7 that exists is actually version 1.3.6 with malicious code written in and was subsequently signed with a different self-signed certificate than the one used by Incorporate Apps. This is a good indication that someone else repackaged this application because they did not have access to the legitimate certificate from the original developer. The malicious “Walk and Text v1.3.7″ application appears to function normally to the user. However, in the background it sends an SMS message to all of the device’s contacts with the following message: “Hey,just downlaoded a pirated App off the Internet, Walk and Text for Android. Im stupid and cheap,it costed only 1 buck.Don\’t steal like I did!” “Walk and Text v1.3.7″ does not do anything other than send annoying SMS messages to the device’s contacts. The nature of the SMS message that is sent would indicate that someone wanted to make a point that downloading pirated applications is unethical, but the method they used is just as unethical.

A.Plankton.1

Name A.Plankton.1
Category
Release Date 2011/09/07
Update Number 7

Plankton is Android malware that arrives as a pirated, trojanized application. Plankton was originally identified by researchers at North Carolina State University, where they found that Plankton infected apps exploit a Dalvik class loading capability that is able to run stealthily on the Android device. Once an infected app is loaded onto the mobile device, the malware adds a background service that initiates itself upon execution of the application. This background service is capable of collecting identifying information such as the IMEI from infected Android devices, and gathers the list of permissions that were requested by the host application and sends them off to a remote server. Once the server has received this information, it sends back a URL for the on-device malware to reach out to, to retrieve a .jar file that automatically loads itself and enables botnet-like functionality on the infected Android device. The downloaded .jar file also goes on to retrieve information such as browser history and bookmarks, dumps the devices adb log, and is capable of capturing account credentials stored on the device.

A.Plankton.2

Name A.Plankton.2
Category
Release Date 2011/09/07
Update Number 7

Plankton is Android malware that arrives as a pirated, trojanized application. Plankton was originally identified by researchers at North Carolina State University, where they found that Plankton infected apps exploit a Dalvik class loading capability that is able to run stealthily on the Android device. Once an infected app is loaded onto the mobile device, the malware adds a background service that initiates itself upon execution of the application. This background service is capable of collecting identifying information such as the IMEI from infected Android devices, and gathers the list of permissions that were requested by the host application and sends them off to a remote server. Once the server has received this information, it sends back a URL for the on-device malware to reach out to, to retrieve a .jar file that automatically loads itself and enables botnet-like functionality on the infected Android device. The downloaded .jar file also goes on to retrieve information such as browser history and bookmarks, dumps the devices adb log, and is capable of capturing account credentials stored on the device.

A.Plankton.3

Name A.Plankton.3
Category
Release Date 2011/09/07
Update Number 7

Plankton is Android malware that arrives as a pirated, trojanized application. Plankton was originally identified by researchers at North Carolina State University, where they found that Plankton infected apps exploit a Dalvik class loading capability that is able to run stealthily on the Android device. Once an infected app is loaded onto the mobile device, the malware adds a background service that initiates itself upon execution of the application. This background service is capable of collecting identifying information such as the IMEI from infected Android devices, and gathers the list of permissions that were requested by the host application and sends them off to a remote server. Once the server has received this information, it sends back a URL for the on-device malware to reach out to, to retrieve a .jar file that automatically loads itself and enables botnet-like functionality on the infected Android device. The downloaded .jar file also goes on to retrieve information such as browser history and bookmarks, dumps the devices adb log, and is capable of capturing account credentials stored on the device.

A.Plankton.4

Name A.Plankton.4
Category
Release Date 2011/09/07
Update Number 7

Plankton is Android malware that arrives as a pirated, trojanized application. Plankton was originally identified by researchers at North Carolina State University, where they found that Plankton infected apps exploit a Dalvik class loading capability that is able to run stealthily on the Android device. Once an infected app is loaded onto the mobile device, the malware adds a background service that initiates itself upon execution of the application. This background service is capable of collecting identifying information such as the IMEI from infected Android devices, and gathers the list of permissions that were requested by the host application and sends them off to a remote server. Once the server has received this information, it sends back a URL for the on-device malware to reach out to, to retrieve a .jar file that automatically loads itself and enables botnet-like functionality on the infected Android device. The downloaded .jar file also goes on to retrieve information such as browser history and bookmarks, dumps the devices adb log, and is capable of capturing account credentials stored on the device.

A.SPPush.2

Name A.SPPush.2
Category
Release Date 2012/01/27
Update Number 47

A.SPPush is a malicious application that targets Android users in China, and is distributed through third party web stores. It takes advantage of the SMS-based subscription system that is commonly implemented in China to sign-up the user for certain services without the user’s knowledge and consent.

A.SPPush.3

Name A.SPPush.3
Category
Release Date 2012/01/27
Update Number 47

A.SPPush is a malicious application that targets Android users in China, and is distributed through third party web stores. It takes advantage of the SMS-based subscription system that is commonly implemented in China to sign-up the user for certain services without the user’s knowledge and consent.

A.SPPush.a

Name A.SPPush.a
Category
Release Date 2012/01/27
Update Number 47

A.SPPush.a is a malicious application that targets Android users in China, and is distributed through third party web stores. It takes advantage of the SMS-based subscription system that is commonly implemented in China to sign-up the user for certain services without the user’s knowledge and consent.

A.SPPush.b

Name A.SPPush.b
Category
Release Date 2012/01/27
Update Number 47

A.SPPush.b is a malicious application that targets Android users in China, and is distributed through third party web stores. It takes advantage of the SMS-based subscription system that is commonly implemented in China to sign-up the user for certain services without the user’s knowledge and consent.

A.Skypwned.a

Name A.Skypwned.a
Category
Release Date 2011/04/19
Update Number 1

Skypwned is a proof-of-concept (POC) application that was developed specifically to illustrate the capabilities of exploiting a vulnerability in Skype for Android. Skypwned POC is not overtly malicious, but should still be removed from a device if it is detected.

A.SndApps.a

Name A.SndApps.a
Category
Release Date 2011/09/07
Update Number 7

SndApps is Android malware that arrives in applications that appear to be games for Android devices. SndApps accesses various types of device identifying information and forwards it on to a remote server. The following information is accessed and transmitted: - Carrier/Service Provider - Country Code - Device ID/IMEI Number - Email Addresses Associated with the Device - Phone Number SndApps infected applications do not appear to have been repacked from legitimate developers. In this case, it appears that the same developers that created the original applications, came back at a later date and included the malicious code in subsequent versions of the applications. These apps were initially detected in the official Android Market, but have since been removed.

A.Spitmo.c

Name A.Spitmo.c
Category
Release Date 2012/01/27
Update Number 47

SPITMO/SpyEye is Android malware that affects users who’s PC is infected with the PC malware SpyEye. When a user of an infected PC browses to their online banking site, SpyEye is capable of injecting content into the bank’s pages that attempts to trick the user in to believing that the bank is asking for their mobile device phone number in order to facilitate out-of-band authentication using mTan messages. mTan message are one-time codes sent from a bank to a mobile user’s device to be used for authentication when logging into their online bank website. Once SpyEye has retrieved the user’s mobile device number, the user is told, through injected content, that it will become necessary for them to download a “certificate” to allow the mTan authentications to be properly verified on the device. In reality, the user has provided SpyEye with the mobile device’s phone number and will be tricked into installing the SpyEye mobile spyware application that will monitor and capture the mTan numbers sent from the banking institution. SpyEye is configured to be able to determine these mTan numbers that come into the device over SMS and will then send them off to a 3rd party server to be used by the attackers to gain access to the victim’s online bank website.

A.SpyBubble.b

Name A.SpyBubble.b
Category
Release Date 2012/01/27
Update Number 47

Spy Bubble is the stealth GPS tracking software for Android mobile phone. Spy Bubble is very similar to the other Android tracking applications on the market that offer "stealth" GPS tracking and various monitoring/spy features (such as Mobile Spy).

Spy Bubble may track the following activities:

GPS Location
SMS messages sent/received from the Android device.
View Call Logs

A.Spybub.a

Name A.Spybub.a
Category
Release Date 2010/03/03
Update Number 1

Spy Bubble is the stealth GPS tracking software for Android mobile phone. Spy Bubble is very similar to the other Android tracking applications on the market that offer "stealth" GPS tracking and various monitoring/spy features (such as Mobile Spy).

Spy Bubble may track the following activities:

GPS Location
SMS messages sent/received from the Android device.
View Call Logs

A.Thefty.gen2

Name A.Thefty.gen2
Category
Release Date 2010/12/01
Update Number 1

Theft Aware is an anti-theft application that could provide the potential to allow illegal monitoring of the GPS location of an unsuspecting individual.

Theft Aware is a commercial application available for Symbian and Android devices that allow a user to locate a lost or stolen mobile device.

Theft Aware offers the following capabilities:

GPS location monitoring
Stealth Mode
Remote Lock/Wipe
Siren
Wipe
Retrieve SMS messages
Silently place calls for monitoring ambient noise
SMS commands

While Theft Aware offers a viable service to users, this application is being labeled as spyware because it has the ability to actively hide itself on the device to avoid detection by an unsuspecting user and could potentially be used as a tool to illegally spy on a user’s movements and communications.

A.Typstu

Name A.Typstu
Category
Release Date 2012/01/27
Update Number 47

Android/TypStu.D sends sensitive information to a third party site.This malware requires that the user intentionally install it on the device.

A.YzhcSms.1

Name A.YzhcSms.1
Category
Release Date 2012/01/27
Update Number 47

YZHCSMS is an Android Trojan application comes with the package name ‘com.ppxiu’ from the developer ‘Gengine‘. The application no longer appears to be available in the Android Market, but is still being offered in third-party stores in Asia. Appearing to target Asian markets only, the malware called ‘YZHCSMS’ begins its operations by reaching out to an offline website to obtain a list of premium rate numbers (a short code number that you send SMS messages to—much like when voting on American Idol) to begin sending SMS messages that all begin with ‘YZHC’. Combining the premium rate numbers that are retrieved from the web server with a list of hardcoded numbers, ’YZHCSMS’ sends an SMS/text message every 50 minutes to the target, costing the user varying amounts of money per message depending on their rate plan. The SMS Trojan runs as a background thread that is kicked off when the device boots up or upon execution of the infected application. Along with its ability to run as a background thread, the YZHCSMS SMS Trojan attempts to further obfuscate its true nature by deleting any SMS messages it has sent as well as trying to delete any SMS billing messages that may be received as a result of the premium message it just sent. Some variants of this SMS Trojan only have the ability to remove messages that are related to the numbers that were hardcoded into the malware, while others attempt to remove messages related to the numbers retrieved from the offline server. Our analysis of at least one of the variants indicates that the following numbers have been hardcoded into the different variants of ‘YZHCSMS’: 1000 10000 10086 100086 123456 617915 19000101 19860102 19861119 91316005 91316007 101011101 12345678911 1065800885566 052714034192100013309 1240000089393100527140341001 The following numbers exist in the ‘mmssender’ class: 052714034192100013309 10086 1240000089393100527140341001 At least one variant appears to intercept messages related to the following hardcoded numbers, via the ‘SMSObserver’ class: 10086 1065800885566 At this time, it is unclear whether these premium rate numbers will work outside of Asian markets. The Android Market data indicates that this application has only been downloaded an estimated 500 times.

A.YzhcSms.2

Name A.YzhcSms.2
Category
Release Date 2012/01/27
Update Number 47

YZHCSMS is an Android Trojan application comes with the package name ‘com.ppxiu’ from the developer ‘Gengine‘. The application no longer appears to be available in the Android Market, but is still being offered in third-party stores in Asia. Appearing to target Asian markets only, the malware called ‘YZHCSMS’ begins its operations by reaching out to an offline website to obtain a list of premium rate numbers (a short code number that you send SMS messages to—much like when voting on American Idol) to begin sending SMS messages that all begin with ‘YZHC’. Combining the premium rate numbers that are retrieved from the web server with a list of hardcoded numbers, ’YZHCSMS’ sends an SMS/text message every 50 minutes to the target, costing the user varying amounts of money per message depending on their rate plan. The SMS Trojan runs as a background thread that is kicked off when the device boots up or upon execution of the infected application. Along with its ability to run as a background thread, the YZHCSMS SMS Trojan attempts to further obfuscate its true nature by deleting any SMS messages it has sent as well as trying to delete any SMS billing messages that may be received as a result of the premium message it just sent. Some variants of this SMS Trojan only have the ability to remove messages that are related to the numbers that were hardcoded into the malware, while others attempt to remove messages related to the numbers retrieved from the offline server. Our analysis of at least one of the variants indicates that the following numbers have been hardcoded into the different variants of ‘YZHCSMS’: 1000 10000 10086 100086 123456 617915 19000101 19860102 19861119 91316005 91316007 101011101 12345678911 1065800885566 052714034192100013309 1240000089393100527140341001 The following numbers exist in the ‘mmssender’ class: 052714034192100013309 10086 1240000089393100527140341001 At least one variant appears to intercept messages related to the following hardcoded numbers, via the ‘SMSObserver’ class: 10086 1065800885566 At this time, it is unclear whether these premium rate numbers will work outside of Asian markets. The Android Market data indicates that this application has only been downloaded an estimated 500 times.

A.Yzhcsms.2

Name A.Yzhcsms.2
Category
Release Date 2012/01/27
Update Number 47

YZHCSMS is an Android Trojan application comes with the package name ‘com.ppxiu’ from the developer ‘Gengine‘. The application no longer appears to be available in the Android Market, but is still being offered in third-party stores in Asia. Appearing to target Asian markets only, the malware called ‘YZHCSMS’ begins its operations by reaching out to an offline website to obtain a list of premium rate numbers (a short code number that you send SMS messages to—much like when voting on American Idol) to begin sending SMS messages that all begin with ‘YZHC’. Combining the premium rate numbers that are retrieved from the web server with a list of hardcoded numbers, ’YZHCSMS’ sends an SMS/text message every 50 minutes to the target, costing the user varying amounts of money per message depending on their rate plan. The SMS Trojan runs as a background thread that is kicked off when the device boots up or upon execution of the infected application. Along with its ability to run as a background thread, the YZHCSMS SMS Trojan attempts to further obfuscate its true nature by deleting any SMS messages it has sent as well as trying to delete any SMS billing messages that may be received as a result of the premium message it just sent. Some variants of this SMS Trojan only have the ability to remove messages that are related to the numbers that were hardcoded into the malware, while others attempt to remove messages related to the numbers retrieved from the offline server. Our analysis of at least one of the variants indicates that the following numbers have been hardcoded into the different variants of ‘YZHCSMS’: 1000 10000 10086 100086 123456 617915 19000101 19860102 19861119 91316005 91316007 101011101 12345678911 1065800885566 052714034192100013309 1240000089393100527140341001 The following numbers exist in the ‘mmssender’ class: 052714034192100013309 10086 1240000089393100527140341001 At least one variant appears to intercept messages related to the following hardcoded numbers, via the ‘SMSObserver’ class: 10086 1065800885566 At this time, it is unclear whether these premium rate numbers will work outside of Asian markets. The Android Market data indicates that this application has only been downloaded an estimated 500 times.

A.Yzhcsms.3

Name A.Yzhcsms.3
Category
Release Date 2012/01/27
Update Number 47

YZHCSMS is an Android Trojan application comes with the package name ‘com.ppxiu’ from the developer ‘Gengine‘. The application no longer appears to be available in the Android Market, but is still being offered in third-party stores in Asia. Appearing to target Asian markets only, the malware called ‘YZHCSMS’ begins its operations by reaching out to an offline website to obtain a list of premium rate numbers (a short code number that you send SMS messages to—much like when voting on American Idol) to begin sending SMS messages that all begin with ‘YZHC’. Combining the premium rate numbers that are retrieved from the web server with a list of hardcoded numbers, ’YZHCSMS’ sends an SMS/text message every 50 minutes to the target, costing the user varying amounts of money per message depending on their rate plan. The SMS Trojan runs as a background thread that is kicked off when the device boots up or upon execution of the infected application. Along with its ability to run as a background thread, the YZHCSMS SMS Trojan attempts to further obfuscate its true nature by deleting any SMS messages it has sent as well as trying to delete any SMS billing messages that may be received as a result of the premium message it just sent. Some variants of this SMS Trojan only have the ability to remove messages that are related to the numbers that were hardcoded into the malware, while others attempt to remove messages related to the numbers retrieved from the offline server. Our analysis of at least one of the variants indicates that the following numbers have been hardcoded into the different variants of ‘YZHCSMS’: 1000 10000 10086 100086 123456 617915 19000101 19860102 19861119 91316005 91316007 101011101 12345678911 1065800885566 052714034192100013309 1240000089393100527140341001 The following numbers exist in the ‘mmssender’ class: 052714034192100013309 10086 1240000089393100527140341001 At least one variant appears to intercept messages related to the following hardcoded numbers, via the ‘SMSObserver’ class: 10086 1065800885566 At this time, it is unclear whether these premium rate numbers will work outside of Asian markets. The Android Market data indicates that this application has only been downloaded an estimated 500 times.

A.Yzhcsms.a

Name A.Yzhcsms.a
Category
Release Date 2011/09/07
Update Number 7

YZHCSMS is an Android Trojan application comes with the package name ‘com.ppxiu’ from the developer ‘Gengine‘. The application no longer appears to be available in the Android Market, but is still being offered in third-party stores in Asia. Appearing to target Asian markets only, the malware called ‘YZHCSMS’ begins its operations by reaching out to an offline website to obtain a list of premium rate numbers (a short code number that you send SMS messages to—much like when voting on American Idol) to begin sending SMS messages that all begin with ‘YZHC’. Combining the premium rate numbers that are retrieved from the web server with a list of hardcoded numbers, ’YZHCSMS’ sends an SMS/text message every 50 minutes to the target, costing the user varying amounts of money per message depending on their rate plan. The SMS Trojan runs as a background thread that is kicked off when the device boots up or upon execution of the infected application. Along with its ability to run as a background thread, the YZHCSMS SMS Trojan attempts to further obfuscate its true nature by deleting any SMS messages it has sent as well as trying to delete any SMS billing messages that may be received as a result of the premium message it just sent. Some variants of this SMS Trojan only have the ability to remove messages that are related to the numbers that were hardcoded into the malware, while others attempt to remove messages related to the numbers retrieved from the offline server. Our analysis of at least one of the variants indicates that the following numbers have been hardcoded into the different variants of ‘YZHCSMS’: 1000 10000 10086 100086 123456 617915 19000101 19860102 19861119 91316005 91316007 101011101 12345678911 1065800885566 052714034192100013309 1240000089393100527140341001 The following numbers exist in the ‘mmssender’ class: 052714034192100013309 10086 1240000089393100527140341001 At least one variant appears to intercept messages related to the following hardcoded numbers, via the ‘SMSObserver’ class: 10086 1065800885566 At this time, it is unclear whether these premium rate numbers will work outside of Asian markets. The Android Market data indicates that this application has only been downloaded an estimated 500 times.

A.ZSone.gen1

Name A.ZSone.gen1
Category
Release Date 2012/01/27
Update Number 47

ZSone SMS Trojan is a series of pirated, trojanized applications that affect Android devices. A developer by the name of “Zsone” published 13 of these applications, some of which utilize SMS communication to fraudulently register the unsuspecting user’s device to premium services in China. Of the apps that have been analyzed, 11 of the 13 are known to operate in this fashion, using various premium rate numbers to register the device. Chinese users that are affected by these malicious applications may notice unsolicited charges to their mobile accounts due to their device being registered for these premium services. These malicious applications that have been identified from developer “Zsone” are as follows: LoveBaby iBook iCartoon Sea Ball iCalendar 3D Cube horror terriblei ShakeBanger iMatch 对对碰 Shake Break iSMS iMine The above mentioned applications are known to be communicating with the following premium rate numbers that will ONLY work inside of Chinese mobile networks: 10086 1066185829 10000 10010 1066133 10655133 10621900 10626213 106691819 10665123085 10621900 In many cases, the SMS messages sent to register the device with premium services contains a special code in the body of the message to facilitate the registration of the device to the service, such as: M6307AHD aAHD 95pAHD 58#28AHD YXX1 921X1 As previously stated, the premium services that these malicious applications attempt to register mobile accounts for will ONLY work inside of Chinese mobile networks. Users outside of Chinese networks will not be affected with any charges to their account due to any messages their infected device may attempt to send.

A.ZSone.gen2

Name A.ZSone.gen2
Category
Release Date 2012/01/27
Update Number 47

ZSone SMS Trojan is a series of pirated, trojanized applications that affect Android devices. A developer by the name of “Zsone” published 13 of these applications, some of which utilize SMS communication to fraudulently register the unsuspecting user’s device to premium services in China. Of the apps that have been analyzed, 11 of the 13 are known to operate in this fashion, using various premium rate numbers to register the device. Chinese users that are affected by these malicious applications may notice unsolicited charges to their mobile accounts due to their device being registered for these premium services. These malicious applications that have been identified from developer “Zsone” are as follows: LoveBaby iBook iCartoon Sea Ball iCalendar 3D Cube horror terriblei ShakeBanger iMatch 对对碰 Shake Break iSMS iMine The above mentioned applications are known to be communicating with the following premium rate numbers that will ONLY work inside of Chinese mobile networks: 10086 1066185829 10000 10010 1066133 10655133 10621900 10626213 106691819 10665123085 10621900 In many cases, the SMS messages sent to register the device with premium services contains a special code in the body of the message to facilitate the registration of the device to the service, such as: M6307AHD aAHD 95pAHD 58#28AHD YXX1 921X1 As previously stated, the premium services that these malicious applications attempt to register mobile accounts for will ONLY work inside of Chinese mobile networks. Users outside of Chinese networks will not be affected with any charges to their account due to any messages their infected device may attempt to send.

A.ZSone.gen3

Name A.ZSone.gen3
Category
Release Date 2011/12/21
Update Number 43

ZSone SMS Trojan is a series of pirated, trojanized applications that affect Android devices. A developer by the name of “Zsone” published 13 of these applications, some of which utilize SMS communication to fraudulently register the unsuspecting user’s device to premium services in China. Of the apps that have been analyzed, 11 of the 13 are known to operate in this fashion, using various premium rate numbers to register the device. Chinese users that are affected by these malicious applications may notice unsolicited charges to their mobile accounts due to their device being registered for these premium services. These malicious applications that have been identified from developer “Zsone” are as follows: LoveBaby iBook iCartoon Sea Ball iCalendar 3D Cube horror terriblei ShakeBanger iMatch 对对碰 Shake Break iSMS iMine The above mentioned applications are known to be communicating with the following premium rate numbers that will ONLY work inside of Chinese mobile networks: 10086 1066185829 10000 10010 1066133 10655133 10621900 10626213 106691819 10665123085 10621900 In many cases, the SMS messages sent to register the device with premium services contains a special code in the body of the message to facilitate the registration of the device to the service, such as: M6307AHD aAHD 95pAHD 58#28AHD YXX1 921X1 As previously stated, the premium services that these malicious applications attempt to register mobile accounts for will ONLY work inside of Chinese mobile networks. Users outside of Chinese networks will not be affected with any charges to their account due to any messages their infected device may attempt to send.

A.Zsone.01

Name A.Zsone.01
Category
Release Date 2011/05/19
Update Number 1

ZSone SMS Trojan is a series of pirated, trojanized applications that affect Android devices. A developer by the name of “Zsone” published 13 of these applications, some of which utilize SMS communication to fraudulently register the unsuspecting user’s device to premium services in China. Of the apps that have been analyzed, 11 of the 13 are known to operate in this fashion, using various premium rate numbers to register the device. Chinese users that are affected by these malicious applications may notice unsolicited charges to their mobile accounts due to their device being registered for these premium services. These malicious applications that have been identified from developer “Zsone” are as follows: LoveBaby iBook iCartoon Sea Ball iCalendar 3D Cube horror terriblei ShakeBanger iMatch 对对碰 Shake Break iSMS iMine The above mentioned applications are known to be communicating with the following premium rate numbers that will ONLY work inside of Chinese mobile networks: 10086 1066185829 10000 10010 1066133 10655133 10621900 10626213 106691819 10665123085 10621900 In many cases, the SMS messages sent to register the device with premium services contains a special code in the body of the message to facilitate the registration of the device to the service, such as: M6307AHD aAHD 95pAHD 58#28AHD YXX1 921X1 As previously stated, the premium services that these malicious applications attempt to register mobile accounts for will ONLY work inside of Chinese mobile networks. Users outside of Chinese networks will not be affected with any charges to their account due to any messages their infected device may attempt to send.

A.Zsone.02

Name A.Zsone.02
Category
Release Date 2011/05/19
Update Number 1

ZSone SMS Trojan is a series of pirated, trojanized applications that affect Android devices. A developer by the name of “Zsone” published 13 of these applications, some of which utilize SMS communication to fraudulently register the unsuspecting user’s device to premium services in China. Of the apps that have been analyzed, 11 of the 13 are known to operate in this fashion, using various premium rate numbers to register the device. Chinese users that are affected by these malicious applications may notice unsolicited charges to their mobile accounts due to their device being registered for these premium services. These malicious applications that have been identified from developer “Zsone” are as follows: LoveBaby iBook iCartoon Sea Ball iCalendar 3D Cube horror terriblei ShakeBanger iMatch 对对碰 Shake Break iSMS iMine The above mentioned applications are known to be communicating with the following premium rate numbers that will ONLY work inside of Chinese mobile networks: 10086 1066185829 10000 10010 1066133 10655133 10621900 10626213 106691819 10665123085 10621900 In many cases, the SMS messages sent to register the device with premium services contains a special code in the body of the message to facilitate the registration of the device to the service, such as: M6307AHD aAHD 95pAHD 58#28AHD YXX1 921X1 As previously stated, the premium services that these malicious applications attempt to register mobile accounts for will ONLY work inside of Chinese mobile networks. Users outside of Chinese networks will not be affected with any charges to their account due to any messages their infected device may attempt to send.

A.Zsone.03

Name A.Zsone.03
Category
Release Date 2011/05/19
Update Number 1

ZSone SMS Trojan is a series of pirated, trojanized applications that affect Android devices. A developer by the name of “Zsone” published 13 of these applications, some of which utilize SMS communication to fraudulently register the unsuspecting user’s device to premium services in China. Of the apps that have been analyzed, 11 of the 13 are known to operate in this fashion, using various premium rate numbers to register the device. Chinese users that are affected by these malicious applications may notice unsolicited charges to their mobile accounts due to their device being registered for these premium services. These malicious applications that have been identified from developer “Zsone” are as follows: LoveBaby iBook iCartoon Sea Ball iCalendar 3D Cube horror terriblei ShakeBanger iMatch 对对碰 Shake Break iSMS iMine The above mentioned applications are known to be communicating with the following premium rate numbers that will ONLY work inside of Chinese mobile networks: 10086 1066185829 10000 10010 1066133 10655133 10621900 10626213 106691819 10665123085 10621900 In many cases, the SMS messages sent to register the device with premium services contains a special code in the body of the message to facilitate the registration of the device to the service, such as: M6307AHD aAHD 95pAHD 58#28AHD YXX1 921X1 As previously stated, the premium services that these malicious applications attempt to register mobile accounts for will ONLY work inside of Chinese mobile networks. Users outside of Chinese networks will not be affected with any charges to their account due to any messages their infected device may attempt to send.

A.Zsone.04

Name A.Zsone.04
Category
Release Date 2011/05/19
Update Number 1

ZSone SMS Trojan is a series of pirated, trojanized applications that affect Android devices. A developer by the name of “Zsone” published 13 of these applications, some of which utilize SMS communication to fraudulently register the unsuspecting user’s device to premium services in China. Of the apps that have been analyzed, 11 of the 13 are known to operate in this fashion, using various premium rate numbers to register the device. Chinese users that are affected by these malicious applications may notice unsolicited charges to their mobile accounts due to their device being registered for these premium services. These malicious applications that have been identified from developer “Zsone” are as follows: LoveBaby iBook iCartoon Sea Ball iCalendar 3D Cube horror terriblei ShakeBanger iMatch 对对碰 Shake Break iSMS iMine The above mentioned applications are known to be communicating with the following premium rate numbers that will ONLY work inside of Chinese mobile networks: 10086 1066185829 10000 10010 1066133 10655133 10621900 10626213 106691819 10665123085 10621900 In many cases, the SMS messages sent to register the device with premium services contains a special code in the body of the message to facilitate the registration of the device to the service, such as: M6307AHD aAHD 95pAHD 58#28AHD YXX1 921X1 As previously stated, the premium services that these malicious applications attempt to register mobile accounts for will ONLY work inside of Chinese mobile networks. Users outside of Chinese networks will not be affected with any charges to their account due to any messages their infected device may attempt to send.

A.Zsone.05

Name A.Zsone.05
Category
Release Date 2011/05/19
Update Number 1

ZSone SMS Trojan is a series of pirated, trojanized applications that affect Android devices. A developer by the name of “Zsone” published 13 of these applications, some of which utilize SMS communication to fraudulently register the unsuspecting user’s device to premium services in China. Of the apps that have been analyzed, 11 of the 13 are known to operate in this fashion, using various premium rate numbers to register the device. Chinese users that are affected by these malicious applications may notice unsolicited charges to their mobile accounts due to their device being registered for these premium services. These malicious applications that have been identified from developer “Zsone” are as follows: LoveBaby iBook iCartoon Sea Ball iCalendar 3D Cube horror terriblei ShakeBanger iMatch 对对碰 Shake Break iSMS iMine The above mentioned applications are known to be communicating with the following premium rate numbers that will ONLY work inside of Chinese mobile networks: 10086 1066185829 10000 10010 1066133 10655133 10621900 10626213 106691819 10665123085 10621900 In many cases, the SMS messages sent to register the device with premium services contains a special code in the body of the message to facilitate the registration of the device to the service, such as: M6307AHD aAHD 95pAHD 58#28AHD YXX1 921X1 As previously stated, the premium services that these malicious applications attempt to register mobile accounts for will ONLY work inside of Chinese mobile networks. Users outside of Chinese networks will not be affected with any charges to their account due to any messages their infected device may attempt to send.

A.Zsone.06

Name A.Zsone.06
Category
Release Date 2011/05/19
Update Number 1

ZSone SMS Trojan is a series of pirated, trojanized applications that affect Android devices. A developer by the name of “Zsone” published 13 of these applications, some of which utilize SMS communication to fraudulently register the unsuspecting user’s device to premium services in China. Of the apps that have been analyzed, 11 of the 13 are known to operate in this fashion, using various premium rate numbers to register the device. Chinese users that are affected by these malicious applications may notice unsolicited charges to their mobile accounts due to their device being registered for these premium services. These malicious applications that have been identified from developer “Zsone” are as follows: LoveBaby iBook iCartoon Sea Ball iCalendar 3D Cube horror terriblei ShakeBanger iMatch 对对碰 Shake Break iSMS iMine The above mentioned applications are known to be communicating with the following premium rate numbers that will ONLY work inside of Chinese mobile networks: 10086 1066185829 10000 10010 1066133 10655133 10621900 10626213 106691819 10665123085 10621900 In many cases, the SMS messages sent to register the device with premium services contains a special code in the body of the message to facilitate the registration of the device to the service, such as: M6307AHD aAHD 95pAHD 58#28AHD YXX1 921X1 As previously stated, the premium services that these malicious applications attempt to register mobile accounts for will ONLY work inside of Chinese mobile networks. Users outside of Chinese networks will not be affected with any charges to their account due to any messages their infected device may attempt to send.

A.Zsone.07

Name A.Zsone.07
Category
Release Date 2011/05/19
Update Number 1

ZSone SMS Trojan is a series of pirated, trojanized applications that affect Android devices. A developer by the name of “Zsone” published 13 of these applications, some of which utilize SMS communication to fraudulently register the unsuspecting user’s device to premium services in China. Of the apps that have been analyzed, 11 of the 13 are known to operate in this fashion, using various premium rate numbers to register the device. Chinese users that are affected by these malicious applications may notice unsolicited charges to their mobile accounts due to their device being registered for these premium services. These malicious applications that have been identified from developer “Zsone” are as follows: LoveBaby iBook iCartoon Sea Ball iCalendar 3D Cube horror terriblei ShakeBanger iMatch 对对碰 Shake Break iSMS iMine The above mentioned applications are known to be communicating with the following premium rate numbers that will ONLY work inside of Chinese mobile networks: 10086 1066185829 10000 10010 1066133 10655133 10621900 10626213 106691819 10665123085 10621900 In many cases, the SMS messages sent to register the device with premium services contains a special code in the body of the message to facilitate the registration of the device to the service, such as: M6307AHD aAHD 95pAHD 58#28AHD YXX1 921X1 As previously stated, the premium services that these malicious applications attempt to register mobile accounts for will ONLY work inside of Chinese mobile networks. Users outside of Chinese networks will not be affected with any charges to their account due to any messages their infected device may attempt to send.

A.Zsone.08

Name A.Zsone.08
Category
Release Date 2011/05/19
Update Number 1

ZSone SMS Trojan is a series of pirated, trojanized applications that affect Android devices. A developer by the name of “Zsone” published 13 of these applications, some of which utilize SMS communication to fraudulently register the unsuspecting user’s device to premium services in China. Of the apps that have been analyzed, 11 of the 13 are known to operate in this fashion, using various premium rate numbers to register the device. Chinese users that are affected by these malicious applications may notice unsolicited charges to their mobile accounts due to their device being registered for these premium services. These malicious applications that have been identified from developer “Zsone” are as follows: LoveBaby iBook iCartoon Sea Ball iCalendar 3D Cube horror terriblei ShakeBanger iMatch 对对碰 Shake Break iSMS iMine The above mentioned applications are known to be communicating with the following premium rate numbers that will ONLY work inside of Chinese mobile networks: 10086 1066185829 10000 10010 1066133 10655133 10621900 10626213 106691819 10665123085 10621900 In many cases, the SMS messages sent to register the device with premium services contains a special code in the body of the message to facilitate the registration of the device to the service, such as: M6307AHD aAHD 95pAHD 58#28AHD YXX1 921X1 As previously stated, the premium services that these malicious applications attempt to register mobile accounts for will ONLY work inside of Chinese mobile networks. Users outside of Chinese networks will not be affected with any charges to their account due to any messages their infected device may attempt to send.

A.Zsone.09

Name A.Zsone.09
Category
Release Date 2011/05/19
Update Number 1

ZSone SMS Trojan is a series of pirated, trojanized applications that affect Android devices. A developer by the name of “Zsone” published 13 of these applications, some of which utilize SMS communication to fraudulently register the unsuspecting user’s device to premium services in China. Of the apps that have been analyzed, 11 of the 13 are known to operate in this fashion, using various premium rate numbers to register the device. Chinese users that are affected by these malicious applications may notice unsolicited charges to their mobile accounts due to their device being registered for these premium services. These malicious applications that have been identified from developer “Zsone” are as follows: LoveBaby iBook iCartoon Sea Ball iCalendar 3D Cube horror terriblei ShakeBanger iMatch 对对碰 Shake Break iSMS iMine The above mentioned applications are known to be communicating with the following premium rate numbers that will ONLY work inside of Chinese mobile networks: 10086 1066185829 10000 10010 1066133 10655133 10621900 10626213 106691819 10665123085 10621900 In many cases, the SMS messages sent to register the device with premium services contains a special code in the body of the message to facilitate the registration of the device to the service, such as: M6307AHD aAHD 95pAHD 58#28AHD YXX1 921X1 As previously stated, the premium services that these malicious applications attempt to register mobile accounts for will ONLY work inside of Chinese mobile networks. Users outside of Chinese networks will not be affected with any charges to their account due to any messages their infected device may attempt to send.

A.Zsone.10

Name A.Zsone.10
Category
Release Date 2011/05/19
Update Number 1

ZSone SMS Trojan is a series of pirated, trojanized applications that affect Android devices. A developer by the name of “Zsone” published 13 of these applications, some of which utilize SMS communication to fraudulently register the unsuspecting user’s device to premium services in China. Of the apps that have been analyzed, 11 of the 13 are known to operate in this fashion, using various premium rate numbers to register the device. Chinese users that are affected by these malicious applications may notice unsolicited charges to their mobile accounts due to their device being registered for these premium services. These malicious applications that have been identified from developer “Zsone” are as follows: LoveBaby iBook iCartoon Sea Ball iCalendar 3D Cube horror terriblei ShakeBanger iMatch 对对碰 Shake Break iSMS iMine The above mentioned applications are known to be communicating with the following premium rate numbers that will ONLY work inside of Chinese mobile networks: 10086 1066185829 10000 10010 1066133 10655133 10621900 10626213 106691819 10665123085 10621900 In many cases, the SMS messages sent to register the device with premium services contains a special code in the body of the message to facilitate the registration of the device to the service, such as: M6307AHD aAHD 95pAHD 58#28AHD YXX1 921X1 As previously stated, the premium services that these malicious applications attempt to register mobile accounts for will ONLY work inside of Chinese mobile networks. Users outside of Chinese networks will not be affected with any charges to their account due to any messages their infected device may attempt to send.

A.Zsone.11

Name A.Zsone.11
Category
Release Date 2011/09/07
Update Number 7

ZSone SMS Trojan is a series of pirated, trojanized applications that affect Android devices. A developer by the name of “Zsone” published 13 of these applications, some of which utilize SMS communication to fraudulently register the unsuspecting user’s device to premium services in China. Of the apps that have been analyzed, 11 of the 13 are known to operate in this fashion, using various premium rate numbers to register the device. Chinese users that are affected by these malicious applications may notice unsolicited charges to their mobile accounts due to their device being registered for these premium services. These malicious applications that have been identified from developer “Zsone” are as follows: LoveBaby iBook iCartoon Sea Ball iCalendar 3D Cube horror terriblei ShakeBanger iMatch 对对碰 Shake Break iSMS iMine The above mentioned applications are known to be communicating with the following premium rate numbers that will ONLY work inside of Chinese mobile networks: 10086 1066185829 10000 10010 1066133 10655133 10621900 10626213 106691819 10665123085 10621900 In many cases, the SMS messages sent to register the device with premium services contains a special code in the body of the message to facilitate the registration of the device to the service, such as: M6307AHD aAHD 95pAHD 58#28AHD YXX1 921X1 As previously stated, the premium services that these malicious applications attempt to register mobile accounts for will ONLY work inside of Chinese mobile networks. Users outside of Chinese networks will not be affected with any charges to their account due to any messages their infected device may attempt to send.

ADRD

Name ADRD
Category
Release Date 2011/04/01
Update Number 1

ADRD appears in Android applications that have been pirated from official applications. Android applications are downloaded from the official Android Market, they are unpacked, the malicious ADRD code is inserted into the application, it is repackaged and then distributed on unofficial, 3rd party application repositories. As of now, ADRD is only known to exist in Chinese application repositories, but this threat could spread to other 3rd party sites relatively easily.

Once the attackers have been able to trick a user into downloading the application to their SD card and installing, it will register itself to execute when one of the following conditions have been met:

Twelve hours have passed since the OS started

Network connectivity changed

The device receives a phone call

ADRD then attempts to gather up the following information:

3gnet
3gwap
APN
cmnet
cmwap
Hardware information
IMEI
IMSI
Network connectivity
uninet
uniwap
Wifi

Next, the Trojan encrypts the stolen information and attempts to send it to the following locations:
[http://]adrd.taxuan.net/index[REMOVED]
[http://]adrd.xiaxiab.com/pic.[REMOVED]
After ADRD has sent the above mentioned information to the remote servers, it receives a series of instructions that tells the trojan to begin initiating the search engine manipulation activities by sending multiple HTTP requests to the following location:

wap.baidu.com/s?word=[ENCODED SEARCH STRING]&vit=uni&from=[ID]

The purpose of these search requests is to increase site rankings for a website.

ADRD also has the ability to be updated remotely by downloading and installing new version of itself:
sdcard/uc/myupdate.apk

ANSERVER

Name ANSERVER
Category
Release Date 2011/09/28
Update Number 39

Anserver is a series of malicious applications that target Android devices. Anserver infected applications introduce the ability to connect to a remote server that is controlled by the malware developer in order to download other malicious payloads to the device and installs them without the user's consent. Anserver has also been known to attempt to identify mobile security applications and attempts to kill them. Additionally,

Anserver comes packaged in a legitimate, trojanized, host application in order to trick the user into installing. One installed, Anserver infected applications will install the malicious payload onto the device as "Touch Screen" and is installed by tricking the user into accepting a fake "upgrade" for the original host.

One installed, Anserver will be triggered in a number of ways:
- Connectivity Change
- Power Connected
- USB mass storage connected or disconnected
- SMS message received
- Input method changed
- Boot completed
- Device unlocked

Upon successfully starting the malware, Anserver will phone home to check for new Command and Control (C&C) server addresses. If the connection is successful, Anserver will receive commands to update its C&C server database in plain-text XML.

Finally, Anserver is capable of transmitting potentially sensitive device information (OS version, IMEI number, device manufacturer and device model) to its developers

AccuTracking

Name AccuTracking
Category
Release Date 2011/04/01
Update Number 1

Accutracking for Android

This signature detects the existence of the "Accutracking for Android" application on an Android device. Accutracking is an Android application that turns your mobile device into a GPS tracking device. While these types of GPS tracking capabilities are necessary and legitimate, Accutracking comes equipped with the ability to hide the application from the user. This type of stealth operation could potentially enable an unauthorized individual to track the location of an unintended victim.

AnserverBot

Name AnserverBot
Category
Release Date 2011/09/28
Update Number 39

Anserver is a series of malicious applications that target Android devices. Anserver infected applications introduce the ability to connect to a remote server that is controlled by the malware developer in order to download other malicious payloads to the device and installs them without the user's consent. Anserver has also been known to attempt to identify mobile security applications and attempts to kill them. Additionally,

Anserver comes packaged in a legitimate, trojanized, host application in order to trick the user into installing. One installed, Anserver infected applications will install the malicious payload onto the device as "Touch Screen" and is installed by tricking the user into accepting a fake "upgrade" for the original host.

One installed, Anserver will be triggered in a number of ways:
- Connectivity Change
- Power Connected
- USB mass storage connected or disconnected
- SMS message received
- Input method changed
- Boot completed
- Device unlocked

Upon successfully starting the malware, Anserver will phone home to check for new Command and Control (C&C) server addresses. If the connection is successful, Anserver will receive commands to update its C&C server database in plain-text XML.

Finally, Anserver is capable of transmitting potentially sensitive device information (OS version, IMEI number, device manufacturer and device model) to its developers

Backdoor.AndroidOS.GinMaster.a1

Name Backdoor.AndroidOS.GinMaster.a1
Category
Release Date 2012/01/25
Update Number 47

GingerMaster is the first Android malware that utilizes a root exploit against Android 2.3 (Gingerbread), unlike previous Android malware variants capable of rooting devices to extend its functionality, which leveraged root exploits against 2.2 versions of Android and below.

GingerMaster follows the trend of repackaging its malicious code inside of legitimate applications. Once the trojanized app is installed, it registers a receiver so it can be notified when the system has successfully booted as well as launches a service in the background that collects device identifying information to be uploaded to a remote server.

In addition to gathering this device information, GingerMaster infected apps will attempt to leverage the "GingerBreak" root exploit to elevate it to root privileges, as well as attempt to install a root shell into the system partition for use at a later time.

After gaining root privileges, GingerMaster attempts to connect to a remote Command and Control (C&C) server, where it will wait for instructions from the bot master. GingerMaster is then able to begin silently downloading and installing additional apps that could extend the functionality of the malware, by executing "pm install" in the root shell that was previously installed.

Backdoor.AndroidOS.GinMaster.a4

Name Backdoor.AndroidOS.GinMaster.a4
Category
Release Date 2012/01/30
Update Number 50

GingerMaster is the first Android malware that utilizes a root exploit against Android 2.3 (Gingerbread), unlike previous Android malware variants capable of rooting devices to extend its functionality, which leveraged root exploits against 2.2 versions of Android and below. GingerMaster follows the trend of repackaging its malicious code inside of legitimate applications. Once the trojanized app is installed, it registers a receiver so it can be notified when the system has successfully booted as well as launches a service in the background that collects device identifying information to be uploaded to a remote server. In addition to gathering this device information, GingerMaster infected apps will attempt to leverage the "GingerBreak" root exploit to elevate it to root privileges, as well as attempt to install a root shell into the system partition for use at a later time. After gaining root privileges, GingerMaster attempts to connect to a remote Command and Control (C&C) server, where it will wait for instructions from the bot master. GingerMaster is then able to begin silently downloading and installing additional apps that could extend the functionality of the malware, by executing "pm install" in the root shell that was previously installed.

Backdoor.AndroidOS.Kmin.c

Name Backdoor.AndroidOS.Kmin.c
Category
Release Date 2012/01/25
Update Number 47

KMin is a malicious application that affects Android devices. The trojan may pose as an Android app named "KMHome" and attempts to collect the Device ID, Subscriber ID, and current time of the device in order to send to a remote server.

BaseBrid1

Name BaseBrid1
Category
Release Date 2012/01/25
Update Number 47

BaseBridge comes in a series of pirated, trojanized, host applications that are designed to appear legitimate to an Android user. BaseBridge infected applications leverage the "udev" (BID 34536) vulnerability in Android 2.2 devices and below in order to obtain root privileges on an infected device.

Once root privilege has been obtained, BaseBridge infected applications will drop its payload, which is "SMSApp.apk", which is stored in the application package in "/res/raw/anservb". Once successfully installed, "SMSApp.apk connects to a remote server of port 8080 in order to send device identifying information, such as: "Subscriber ID", "Manufacturer and Model", and "Android version".

Secondarily, BaseBridge infected apps are configured to send a series of SMS messages to premium rate SMS numbers that will charge the user's mobile account per message. These funds are almost always unrecoverable. BaseBridge can also remove SMS messages from the mobile device's inbox, so as to reduce the chances of the user noticing the premium SMS messages being sent, and can dial phone numbers without the caller's consent.

BaseBridge

Name BaseBridge
Category
Release Date 2011/06/07
Update Number 1

BaseBridge comes in a series of pirated, trojanized, host applications that are designed to appear legitimate to an Android user. BaseBridge infected applications leverage the "udev" (BID 34536) vulnerability in Android 2.2 devices and below in order to obtain root privileges on an infected device.

Once root privilege has been obtained, BaseBridge infected applications will drop its payload, which is "SMSApp.apk", which is stored in the application package in "/res/raw/anservb". Once successfully installed, "SMSApp.apk connects to a remote server of port 8080 in order to send device identifying information, such as: "Subscriber ID", "Manufacturer and Model", and "Android version".

Secondarily, BaseBridge infected apps are configured to send a series of SMS messages to premium rate SMS numbers that will charge the user's mobile account per message. These funds are almost always unrecoverable. BaseBridge can also remove SMS messages from the mobile device's inbox, so as to reduce the chances of the user noticing the premium SMS messages being sent, and can dial phone numbers without the caller's consent.

BatteryDoctor

Name BatteryDoctor
Category
Release Date 2011/10/26
Update Number 39

BatteryDoctor is a trojan application targeting Android users that, while making exaggerated claims to be able to recharge an Android device's battery, BatteryDoctor captures following private information from the device and sends it to a remote server:

- Device IMEI Number
- Phone Number
- Phone Book/contact data
- Name
- Email Address

BatteryDoctor's true intentions can be seen in the level of permissions it requests during installation:

- Gather information about current or recently running tasks.
- Access information and change the WiFi state.
- Discover and connect to paired Bluetooth devices.
- Check the phone's current state.
- Read or write to the system settings.
- Write to external storage devices.
- Open network connections.
- Access information about networks.
- Start once the device has finished booting.
- Make the phone vibrate.
- Access location information, such as Cell-ID or WiFi.
- Read contact data.

Bgserv

Name Bgserv
Category
Release Date 2011/04/01
Update Number 1

Bgserv affects Android devices and arrives as a pirated, trojanized, Android application that appears to be otherwise legitimate. Once a device is infected with Bgserv, the malware tucked inside of an otherwise legitimate application will attempt to gather device identifying information to be sent to a remote server. The information collected is as follows:

- IMEI Number
- Phone Number
- Installation Time
- Android Version
- SMS Center

Bgserv also attempts to open a backdoor on the device by downloading a list of viable commands that the malware developer can use to kick off additional functionality on the device, such as:

- Send SMS messages from the device
- Block incoming SMS messages
- Downloads list of external links
- Downloads additional files
- May change the Access Port Name (APN) of the device
- Logs its activities for debugging purposes

CellPhoneRecon

Name CellPhoneRecon
Category
Release Date 2011/04/01
Update Number 1

CellPhoneRecon is a commercial spyware application that could allow an unauthorized individual to monitor the communication and location of an unsuspecting user.

CellPhoneRecon enables an individual to monitor the SMS messages, call logs, emails sent and received, and GPS location data of an Android device, by automatically uploading records of the communication and location data to a remote server. The controlling/installing entity will then have access to the logs and data via a web portal. CellPhoneRecon has the ability to be installed, with physical access to a device, and subsequently configured to run in stealth mode.

These types of commercially available spying/tracking applications that have the ability to hide themselves from the user pose a specific risk to unsuspecting users, thus should be labeled spyware and detected, so as to alert the user of their existence. If CellPhoneRecon was knowingly and legally installed on an Android device, alerts should be ignored by the user.

DDLight-1

Name DDLight-1
Category
Release Date 2011/05/31
Update Number 1

DroidDream Light is a variant of its predecessor DroidDream that hit the official Android Market. Like it's predecessor, DroidDream Light appears in pirated, trojanized, Android applications. Analysis indicates that the malicious nature of these pirated, trojanized applications becomes active upon receipt of an incoming call. Once initiated, DroidDream Light will gather up the following information to be sent to a remote server:

- IMEI Number
- Phone Number
- Device Model
- Android Version

DroidDream Light malware infected applications also contain the ability to download additional packages from a remote server for installation. Unlike its predecessor, DroidDream, DroidDream Light does not have the ability to install these additional applications in the background, so the user will be prompted for installation.

DroidDelux

Name DroidDelux
Category
Release Date 2011/09/30
Update Number 35

DroidDelux appears in pirated, trojanized Android applications. DroidDelux leverages the 'rageagainstthecage' root exploit in order to silently root Android devices running version 2.2 and below. Once the device has been rooted, DroidDelux several system files that contain user's credentials world readable so they can be accessed by additional applications in order to steal sensitive account credentials.

After being launched, DroidDelux attempts to collect sensitive device information that is subsequently uploaded through Google Analytics to the remote attacker, with an account ID of 'UA-19670793-1'.

The device information uploaded to the attacker is as follows:

- Phone Model
- Device Manufacturer
- Device Brand

The specific files containing user credentials that are "unlocked" are as follows:

/data/system/accounts.db
/data/data/com.android.email/databases/EmailProvider.db
/data/data/com.android.providers.contacts/databases/contacts2.db
/data/data/com.android.providers.telephony/databases/mmssms.db

These files contains user's confidential information such as accounts name, authtoken, contacts and so on.

Analysis does not indicate any additional payloads are included in DroidDelux infected applications.

DroidDream

Name DroidDream
Category
Release Date 2011/04/01
Update Number 1

DroidDream was the first complex Trojan for Android to appear in the Android Market. DroidDream arrived in a series of pirated, trojanized applications whereby the malware developer stuffed malicious code into legitimate applications and released them alongside the legitimate apps.

DroidDream leveraged the 'rageagainstthecage' root exploit in order to gain root privileges on infected devices. Once rooted, DroidDream infected applications contained an additional payload inside of the package that is installed silently, in the background, without the user's knowledge. This additional package allows the trojan to capture the devices:

- Product ID
- Model
- Service Provider
- Device Language
- UserID configured on the device

This information is then transmitted to a remote server

DroidDream then went further by embedding the ability for the trojan to download and install additional applications in the background, at will. This capability could further extend the malware's abilities, all without the user's knowledge.

DroidDream-Inside

Name DroidDream-Inside
Category
Release Date 2011/07/27
Update Number 1

DroidDream-Inside detects the payload contained inside of DroidDream infected applications and is installed on a victim's device at the time of infection.

DroidKungFu

Name DroidKungFu
Category
Release Date 2011/06/06
Update Number 1

Droid KungFu is Android malware that arrives in repackaged apps that have been pirated and trojanized to include the malicious code that gives it its functionality, inside of alternative markets targeting Chinese-speaking users.

Droid KungFun leverages the 'udev' and 'rageagainstthecage' root exploits to silently gain root access to an infected device. Upon installation, of an infected application will register a new service and a new receiver with the device so that the receiver will be notified once the device reboots and it can automatically launch the service in the background. The launched service decrypts the encrypted root exploit payloads and launches the exploits against the device, attempting to elevate to root permissions.

Once root has been obtained, Droid KungFu will attempt to collect device information to be sent to a remote server. The following device information is collected:

- IMEI Number
- Device Model
- Android Version

Once the malware has collected and transmitted the necessary information to register the device to the remote server, with root privileges on the device, Droid KungFu will attempt to install an additional package onto the device in the background, without the user's consent. The installed app, 'legacy', pretends to be a legitimate Google Search application with the same application icon. 'Legacy' is actually a backdoor, which connects to a remote server in order to receive commands and instructions on what to do next, essentially turning the infected device into a bot.

DroidKungFu2

Name DroidKungFu2
Category
Release Date 2011/07/04
Update Number 1

Droid KungFu2 is a variant of the original Droid KungFu malware that was packaged into pirated, trojanized Android applications. Containing much of the same functionality as its predecessor, Droid KungFu2 attempts to obfuscate portions of it's code that were written in Dalvik code (based on Java), and uses native code, instead. It also employs two additional command and control (C&C) domains, whereas its predecessor only uses one C&C domain.

These changes were made in such a way as to confuse existing detection methods and to slow down analysis by making it more difficult for researchers to analyze and identify communication and other capabilities of the malware.

DroidKungFu3

Name DroidKungFu3
Category
Release Date 2011/09/07
Update Number 5

Droid KungFu3 is the third variant in the series of Droid KungFun malware affecting Android devices. Just as it's predecessors, Droid KungFu3 arrives in pirated, trojanized applications for Android devices. Droid KungFu3 attempts to go further in its efforts to obfuscate it's true intentions. Where Droid KungFu2 added two additional command and control (C&C) servers and hardcoded them in native code, Droid KungFu3 actually encrypts all three C&C server addresses to add further difficulty to reverse engineering the malware.

The main purpose of Droid KungFu3 doesn't change with the subtle variations. Just as with it's predecessors, Droid KungFu3 leverages one of two root exploits to gain root privileges on an infected device. Once root has been obtained, it will attempt to install an embedded APK (Android package), which masquerades as a fake Google Update application.

If the embedded applications is successfully installed, it does not display an application icon to the user. In reality, the app that is installed opens a backdoor to the device, which will connect to remote servers for instructions, effectively turning the device into a bot.

Eicar

Name Eicar
Category
Release Date 2011/09/28
Update Number 39

EICAR ANTI-VIRUS TEST APPLICATION
THIS APP IS NOT HARMFUL. IT WILL NOT HARM YOUR DEVICE IN ANY WAY.

This app simply displays a message similar to this one and nothing more. It requires no permissions on installation. It does not read your data, access the internet, or create any files. It does not run in the background, start automatically, or do anything at all other than display a message.

It does, however, contain some text, created by the European Institute for Computer Antivirus Research (EICAR), which is designed to be safely detected by all anti-virus products as a virus, so that people can test their anti-virus applications to see if they're working correctly, without having to actually infect their devices with a real virus or other malware.

To make it absolutely clear - this app is completely harmless, but should be detected as a virus. This is its entire purpose. If you run an anti-virus app on your phone, it should detect this app as a virus when you install it.

For further details please search for "EICAR test file" on Wikipedia or visit EICAR's website itself at eicar.org.

Exploit.Linux.Lotoor

Name Exploit.Linux.Lotoor
Category
Release Date 2012/01/25
Update Number 47

Exploit.Linux.Lotoor is a malicious application that targets Android devices with a root exploit that is effective against Android devices up to version 2.3. This malware requires user intervention in order to install the host application. Once installed, the repackaged application will launch the root exploit against the device in an attempt to gain root privileges. Inside the "asset" folder exists four separate files that are key to the functionality of the malware, which are renamed to .sh exentions when the host application is intalled:

- gbfm.png
- install.png
- installsoft.png
- runme.png

Upon successfully obtaining root, the malware runs the newly changed "install.sh" file in order to set (chmod 4775) the system partition's file permissions. The shell is then copied from "/system/bin/sh" to a new folder that was created by the malicious applciation, "/system/xbin/appmaster" and remounts the partition. This allows the shell to be accessed whenever it needs to be.

This exploit will only work on a device that has a mounted SD card.

Fake-netFlic

Name Fake-netFlic
Category
Release Date 2011/10/26
Update Number 39

Fake-netFlic is a trojan application masquerading as the NetFlix app for Android devices. Upon installation, Fake-netFlic requests the following permissions, which are above and beyond the official NetFlix app:

- Open network connections.
- Access information about networks.
- Access information about the WiFi state.
- Check the phone's current state.
- Prevent processor for sleeping or screen from dimming.
- Injects user events into the event stream and delivers them to any window.
- Allow access to low-level system logs.
- Write to external storage devices.
- Gather debug logs.
- Gathers information about currently or recently run tasks.

Fake-netFlic presents a login screen that very much resembles the official login screen of the official NetFlix application. There are subtle differences, however. In actuality, when the user enters their NetFlix credentials in the fake login page, they'll never be logged in. The malware will immediately send the credentials to a remote server.

FakePlayer

Name FakePlayer
Category
Release Date 2011/04/01
Update Number 1

“Fake Player” is the first SMS Trojan application known to affect Android devices. This application arrives on the handset in the form of an APK (Android Package) named “ru.apk”, it exists in the device’s application list as “org.me.androidapplication1″ and appears in the application drawer as “Movie Player”. Analysis indicates that “Fake Player” is rather rudimentary in that the developer created a simple “Hello, World” application and modified the code to include very basic SMS functionality by requesting the “SMS_SEND” permission. As an SMS Trojan, once installed, “Fake Player” will send SMS messages with “798657″ in the message body to the premium SMS number “3353″ that charges the user’s mobile account for each message sent. Once that message has been sent, the Trojan will send the same message to short code “3354″, then send a 3rd message to “3353″.

Analysis indicates that “Fake Player” was only distributed through 3rd party channels and never existed in any of the locality Android Markets. Additionally, it is not believed that “Fake Player” would function properly outside of Russian carrier networks as the short codes that were configured exist inside Russian networks and would not be reachable by carrier networks outside of Russia. Additionally, “Fake Player” is unable to self-propagate, requiring that the device’s user must initiate the necessary actions to install the application and must confirm that he/she approves of the permissions being requested.

FlexiSpy

Name FlexiSpy
Category
Release Date 2012/02/22
Update Number 50

FlexiSpy is commercial spyware that affects most major mobile platforms. Flexispy records phone calls and SMS messages and sends them to a remote server. It is meant to be an actual application that is designed for this purpose. But it runs stealthily without an indication of its purpose and hence is classified as a trojan. FlexiSpy comes in several different packages with escalating feature sets that are supported. The full feature set is as follows:

Remote Listening
Control Phone By SMS
SMS and Email Logging
Call History Logging
Location Tracking
Call Interception
GPS Tracking
Shield
Black List
White List
Web Support
Secure Login
View Report
Advanced Searches
Download Report
Special Features
SIM Change Notification
GPRS Capability Required
Listen to Recorded Conversation

Foncy

Name Foncy
Category
Release Date 2011/12/09
Update Number 43

Foncy is s SMS trojan application that has been repackaged into legitimate apps. It uses a particular method that allows it to retrieve the device's country code in order to send premium rate SMS messages specific numbers within the appropriate country. Foncy is only known to affect European countries and users at this time.

GGTracker

Name GGTracker
Category
Release Date 2011/06/23
Update Number 1

GGTracker is a Trojan horse for Android devices that sends SMS messages to a premium-rate numbers as well as collects sensitive device information.

When the Trojan is executed, it sends the phone number of the compromised device so that the controlling server can send SMS messages to the device.

Next, the Trojan monitors received SMS messages and intercepts SMS messages from the following numbers:

00033335
00036397
33335
36397
46621
55991
55999
56255
96512
99735

It also responds to SMS messages from 41001 by sending the following SMS message:
YES

The Trojan may collect the following information:

- Device phone number
- Name of the network operator
- Sender and body of intercepted SMS messages
- Sender and body of SMS messages in the Inbox
- Version of the Android operating system

The gathered information is then sent to the following location:
http://www.amaz0n-cloud.com/droid/droid.php

Geinimi

Name Geinimi
Category
Release Date 2011/04/01
Update Number 1

Geinimi is an Android Trojan that has the ability to harvest and transmit personal and device identifying information to remote servers. Being the most sophisticated Android malware to date, Geinimi also introduces botnet capabilities with clear indications that command and control (C&C) functionality could be a part of the Geinimi code base. To date, no evidence of the actual C&C communication has been identified, but the channels are clearly evident during analysis. Geinimi has the following capabilities:

- Monitor and Send SMS messages

- Delete selected SMS messages

- Monitor and send location data

- Harvest and send device identifying data (IMEI/IMSI)

- Downloads and prompts user to install 3rd party application

- Enumerates and transmits list of applications installed on the infected device

- Place phone call

- Silently download files

- Launches browser with pre-defined URL

Up to this point, Geinimi infected applications have only appeared in 3rd party application repositories in China and can only be installed by “side loading” the infected applications. Geinimi HAS NOT appeared in the official Android Market. In fact, Geinimi appears to be a number of authentic applications that were pirated from the Android Market, dissasembled, had the Geinimi code packed into the applications and re-assembled.

In addition to the sophisticated features of Geinimi infected application, Geinimi also goes to great lengths to attempt to obfuscate and encrypt the malicious behavior in both the Geinimi code and in the communication that occurs. In order to hinder analysis attempts, Geinimi authors encrypted particular strings of the code, using a weak DES cypher. Fortunately, the weak key of “12345678″ was easily identified in the code, allowing for important strings to be decrypted for analysis.

The communications between Geinimi infected devices and their controlling servers are also encrypted with the same DES cypher and key as the encrypted strings used. In this scenario, Geinimi attempts to encrypt what would otherwise be clear text HTTP requests to make the traffic appear less conspicuous.

The following URL’s have been identified withing Geinimi code as URL’s of interest over port 8080:

www.widifu.com

www.udaore.com

www.frijd.com

www.piajesj.com

www.qoewsl.com

www.weolir.com

www.uisoa.com

www.riusdu.com

www.aiucr.com

117.135.134.185

Initial analysis of Geinimi indicates that there were a handful of applications affected. The Juniper GTC has identifed at least 24 different applications that are infected with Geinimi. The following Android packages are known to be infected by Geinimi code:

com.moonage.iTraining – Detected as A.Geinimi.01

com.sgg.sp – Detected as A.Geinimi.02

com.bitlogik.uconnect – Detected as A.Geinimi.03

com.ubermind.ilightr – Detected as A.Geinimi.04

com.outfit7.talkinghippo – Detected as A.Geinimi.05

com.littlekillerz.legendsarcana – Detected as A.Geinimi.07

com.xlabtech.MonsterTruckRally – Detected as A.Geimimi.08

cmp.LocalService – Detected as A.Geinimi.09

jp.co.kaku.spi.fs1006.Paid – Detected as A.Geinimi.10

com.xlabtech.HardcoreDirtBike – Detected as A.Geinimi.11

cmp.netsentry – Detected as A.Geinimi.12

com.dseffects.MonkeyJump2 – Detected as A.Geinimi.13

com.wuzla.game.ScooterHero_Paid – Detected as A.Geinimi.14

com.masshabit.squibble.free – Detected as A.Geinimi.15

signcomsexgirl1.mm – Detected as A.Geinimi.16

redrabbit.CityDefense – Detected as A.Geinimi.17

com.gamevil.bs2010 – Detected as A.Geinimi.18

com.computertimeco.android.alienspresident – Detected as A.Geinimi.19

com.apostek.SlotMachine.paid – Detected as A.Geinimi.20

sex.sexy – Detected as A.Geinimi.21

com.swampy.sexpos – Detected as A.Geinimi.22

com.ericlie.cg5 – Detected as A.Geinimi.23

chaire1.mm – Detected as A.Geinimi.24

As previously mentioned, Geinimi infected applications were not found to have been accessible from the official Android Market. As with all Android application, users must physically install Geinimi infected applications and approve the permissions that are being requested. Android users are encouraged to be especially mindful of the context of each and every application when considering the permissions it is requesting. This is especially true when “side loading” Android applications from 3rd party application repositories.

GingerMaster

Name GingerMaster
Category
Release Date 2012/01/25
Update Number 47

GingerMaster is the first Android malware that utilizes a root exploit against Android 2.3 (Gingerbread), unlike previous Android malware variants capable of rooting devices to extend its functionality, which leveraged root exploits against 2.2 versions of Android and below.

GingerMaster follows the trend of repackaging its malicious code inside of legitimate applications. Once the trojanized app is installed, it registers a receiver so it can be notified when the system has successfully booted as well as launches a service in the background that collects device identifying information to be uploaded to a remote server.

In addition to gathering this device information, GingerMaster infected apps will attempt to leverage the "GingerBreak" root exploit to elevate it to root privileges, as well as attempt to install a root shell into the system partition for use at a later time.

After gaining root privileges, GingerMaster attempts to connect to a remote Command and Control (C&C) server, where it will wait for instructions from the bot master. GingerMaster is then able to begin silently downloading and installing additional apps that could extend the functionality of the malware, by executing "pm install" in the root shell that was previously installed.

GoldDream

Name GoldDream
Category
Release Date 2011/07/04
Update Number 1

“GoldDream” is Android malware that was found in an app called “Fast Racing”. ”Fast Racing” is a drag racing game that appears to function properly with the malicious code tucked in the background.

“Fast Racing” comes with a package name of “com.creativemobi.DragRacing”, and requests permissions above and beyond those that a game would need to operate. Alert users could potentially identify this as a malicious application by observing that it requests the following permissions:

- Your Messages
- Your Location
- Network Communication
- Storage
- Services that cost you money
- Phone Calls

We’ve since identified 6 additional applications infected with GoldDream malware. These apps can be found with the following package names:

Pure Girls 16 – com.GoldDream.pg03
Pure Girls 16 – com.GoldDream.pg04
Pure Girls 16 – com.GoldDream.pg
Forrest Defender – com.droid.game.forestman
DevilDom Ninja – com.droidstu.game.devilninja
Blood vs Zombie – com.gamelio.DrawSlasher

Android applications found to be infected with the GoldDream malware can monitor all inbound and outbound SMS messages and phone calls on the infected mobile device. The malware listens to these communications and captures the phone number associated with the messages or calls. In the case of SMS messages, GoldDream malware also captures the contents of the messages and stores all of the captured data in two different text files on the mobile handset until it receives the command to ship the captured data off to the controlling server.[redacted]phonecall.txt

[redacted]sms.txt

Once a message or call is received/sent, these files will be created in the /data/data/app_name/files folder on the device

GoldDream infected applications also include Command and Control (C&C) capabilities for a commanding server to direct the malware to perform some configured function. Analysis of the malware indicates that the C&C server may be able to tell the infected devices to perform the following functions:

- Send SMS messages in background
- Make phone calls in the background
- Install/un-install applications in the background
- Upload a file to remote server

GraySpyware

Name GraySpyware
Category
Release Date 2011/04/01
Update Number 1

Gray Spyware is non-commercial spyware that was one of the first of it's kind to be found in the Android Market. GraySpyware was a very basic form of SMS spyware that was marketed as a means to monitor txt messages of an unsuspecting user. Once installed, GraySpyware masqueraded as a basic Android browser application, but would capture all sent and received SMS messages to a remote server for monitoring.

HippoSMS

Name HippoSMS
Category
Release Date 2011/07/12
Update Number 1

HippoSMS arrives in cracked versions of legitimate applications, targeting Asian users. Once installed, HippoSMS will send SMS messages to premium rate numbers with a message body of "8". It also monitors incoming SMS messages and deletes any incoming messages with starts with "10".

Jifake

Name Jifake
Category
Release Date 2012/01/25
Update Number 47

Jifake arrives in a pre-download to a Russian modification of the Instant Messaging application JIMM. This pre-download asks the end-user to send SMS messages to a short number (2476), with body "744155jimm" to get the full version. The victim is charged for the cost of that SMS message.

Another variant of Jifake sends the SMS to the short number 1899. The SMS has the following body: 1107[APPLICATION_CODE]1[RANDOM NUMBER].4

KidLogger

Name KidLogger
Category
Release Date 2011/07/29
Update Number 1

KidLogger is non-commercial spyware for Android devices. Still existing in the Android Market today, Kid Logger's Market description is as follows:

Record phone and user activity into a log file:
- Record all calls
- SMS text with recipient name
- Wi-fi connections
- GSM states (Airmode, Operator name etc.)
- SD card usage by USB connection
- Record all used Applications
- Logs visited web sites (standard browser only)
- Log keystrokes typed on onscreen keyboard and clipboard text
- Also records phone coordinates and created photos.
- Works hidden in background
- password protected
- Keeps user activity log files for 5 days or Uploads it into your Kidlogger.net account. Anytime You can view the phone activity journal online.

After install - restart your phone - and call *123456# to open and activate KidLogger App.
If you dont want to restart - install "Soft Keyboard PRO" input method. See "Soft Keyboard PRO" app for details.

KidLogger is labeled as spyware because it contains the ability to hide itself from the user. While these types of applications certainly provide a necessary service to parents who would like to be aware of their child's online and mobile activities, it also provides an unauthorized user the ability to illegally monitor an unsuspecting person.

Kmin

Name Kmin
Category
Release Date 2012/03/06

KMin is a malicious application that affects Android devices. The trojan may pose as an Android app named "KMHome" and attempts to collect the Device ID, Subscriber ID, and current time of the device in order to send to a remote server.

KungFu

Name KungFu
Category
Release Date 2012/01/25
Update Number 47

Droid KungFu is Android malware that arrives in repackaged apps that have been pirated and trojanized to include the malicious code that gives it its functionality, inside of alternative markets targeting Chinese-speaking users.

Droid KungFun leverages the 'udev' and 'rageagainstthecage' root exploits to silently gain root access to an infected device. Upon installation, of an infected application will register a new service and a new receiver with the device so that the receiver will be notified once the device reboots and it can automatically launch the service in the background. The launched service decrypts the encrypted root exploit payloads and launches the exploits against the device, attempting to elevate to root permissions.

Once root has been obtained, Droid KungFu will attempt to collect device information to be sent to a remote server. The following device information is collected:

- IMEI Number
- Device Model
- Android Version

Once the malware has collected and transmitted the necessary information to register the device to the remote server, with root privileges on the device, Droid KungFu will attempt to install an additional package onto the device in the background, without the user's consent. The installed app, 'legacy', pretends to be a legitimate Google Search application with the same application icon. 'Legacy' is actually a backdoor, which connects to a remote server in order to receive commands and instructions on what to do next, essentially turning the infected device into a bot.

KungFu.a

Name KungFu.a
Category
Release Date 2012/01/25
Update Number 47

Droid KungFu2 is a variant of the original Droid KungFu malware that was packaged into pirated, trojanized Android applications. Containing much of the same functionality as its predecessor, Droid KungFu2 attempts to obfuscate portions of it's code that were written in Dalvik code (based on Java), and uses native code, instead. It also employs two additional command and control (C&C) domains, whereas its predecessor only uses one C&C domain.

These changes were made in such a way as to confuse existing detection methods and to slow down analysis by making it more difficult for researchers to analyze and identify communication and other capabilities of the malware.

KungFu.b

Name KungFu.b
Category
Release Date 2012/01/25
Update Number 47

Droid KungFu3 is the third variant in the series of Droid KungFun malware affecting Android devices. Just as it's predecessors, Droid KungFu3 arrives in pirated, trojanized applications for Android devices. Droid KungFu3 attempts to go further in its efforts to obfuscate it's true intentions. Where Droid KungFu2 added two additional command and control (C&C) servers and hardcoded them in native code, Droid KungFu3 actually encrypts all three C&C server addresses to add further difficulty to reverse engineering the malware.

The main purpose of Droid KungFu3 doesn't change with the subtle variations. Just as with it's predecessors, Droid KungFu3 leverages one of two root exploits to gain root privileges on an infected device. Once root has been obtained, it will attempt to install an embedded APK (Android package), which masquerades as a fake Google Update application.

If the embedded applications is successfully installed, it does not display an application icon to the user. In reality, the app that is installed opens a backdoor to the device, which will connect to remote servers for instructions, effectively turning the device into a bot.

LeeCookSpyware

Name LeeCookSpyware
Category
Release Date 2011/04/01
Update Number 1

LeeCook Spyware is non-commercial spyware that was one of the first of it's kind to be found in the Android Market. LeeCook Spyware was a very basic form of SMS spyware that was marketed as a means to monitor txt messages of an unsuspecting user. Once installed, LeeCook Spyware masqueraded as a basic Android browser application, but would capture all sent and received SMS messages to a remote server for monitoring.

LoveTrap

Name LoveTrap
Category
Release Date 2011/09/07
Update Number 5

LoveTrap is an Android trojan that sends SMS messages to premium rate numbers. Once installed, LoveTrap retrieves premium rate numbers from a remote server in order to send the SMS messages that will be charged to the mobile user's account.

The Trojan will then attempt to go further and block any incoming confirmation SMS messages from any of the premium rate numbers in order to mask its activities.

MobinautenSMSSpy

Name MobinautenSMSSpy
Category
Release Date 2011/04/01
Update Number 1

Mobinauten SMS Spy exists in the Android Market and is described as an application that can assist a user in finding a lost or stolen device. SMS Spy is being labeled as spyware because it hides itself fom the user and does not insert an application icon in the application drawer on the device. SMS Spy arrives with a package name of “de.mobinauten.smsspy” with an application name of “SMS Spy”.

SMS Spy requires that an attacker send an SMS message to the device, with a pre-configured message of “How are you???” The located device will respond to the sender with 3 SMS messages. The 1st confirms receipt of the the locate message. The 2nd replies with the GPS coordinates and address of the device. The 3rd reply contains a URL that links to a Google Map of the device’s location.

SMS Spy gives the user the option of hiding the incoming “locate” SMS message. In this case, a separate contact must be created on the target device with the surname listed as “systemnumber” with the rest of the information blank. By creating this “systemnumber” contact on the target device, SMS Spy will delete a properly constructed locate message and will modify the message that is sent to system notification to be “Internal Service – SMS Database optimized and compressed”

SMS Spy could certainly be considered a useful application, if used properly. However, since it takes measures to hide itself from the user and could allow an attacker to obfuscate the incoming locate message, it will be labeled as Android spyware so the user can make an informed decision of whether the application should remain on the device.

NickySpy

Name NickySpy
Category
Release Date 2011/09/07
Update Number 5

NickySpy is a malicious program that affects Android devices. NickySpy arrives as an app named "Android System Manager", but really only collects information about the device and sends it to the a remote server. NickySpy is capable of capturing the following information: Voice calls SMS messages GPS location information International Mobile Equipment Identity IP address The malware stores the voice call data on the SD card in a folder named '/sdcard/shangzhou/callrecord', and creates a timer event to initiate data collection and upload these details to the remote server.

PJApps

Name PJApps
Category
Release Date 2011/04/01
Update Number 1

PJApps is typically found in Android applications that have been pirated from the official Android Market, deconstructed, packed with malicious code, and then passed off as legitimate apps in 3rd party, Chinese app stores.

When the Trojan is executed, it requests permissions to perform the following actions:

- Open network sockets
- Send and monitor incoming SMS messages
- Read and write to the user’s browsing history and bookmarks
- Install packages
- Write to external storage
- Read the phone’s state (i.e. out of service, radio off, etc)

It then creates a service that runs in the background. The threat launcher is triggered whenever the reception signal of the device changes.

When the service is started it tries to register itself using the following URL:

http://mobile.meego91.com/mm.do?..[PARAMETERS]

Note: [PARAMETERS] is a variable that contains the following information from the device

- IMEI
- DeviceID
- Line Number
- Subscriber ID
- SIM serial number

The threat may send a message to a mobile number controlled by the attackers with the infected device’s IMEI number. The mobile number where this message is sent to is obtained from the following URL:

http://log.meego91.com:9033/android.log?[PARAMETERS]

The threat downloads commands from the following location:

http://xml.meego91.com:8118/push/newandroidxml/…

The commands are enclosed within an .xml file, and include the following commands:
Note- This command is most probably meant to be used to send text messages to premium-rate numbers. A mobile number and content have to be specified, and two additional actions can be performed:

blacklisting—If specified, the mobile’s number will be sent to a remote server to check whether it has been blacklisted, in which case the message won’t be sent. The URL of the service has to be sent as a parameter to the command and the blacklist check will be performed issuing a request with the following format:
($blacklist_url) + “/?tel=” + mobilenumber

response blocking—Android.Pjapps also listens for incoming messages, this allows the note command to specify rules to drop inbound messages if certain conditions are met, so the user doesn’t read them. Beginning and end-of-message strings are among the supported filters.

push- This command performs SMS-spamming and requires the following parameters:

—Content of the text message
—A URL to add at the end of the message contents
—Mobile numbers to send the text to, separated by ‘#’

soft- This command is used to install packages on to the compromised device. The packages are downloaded from a remote URL that has to be sent along with the command as a parameter.

window- This command makes the mobile navigate to a given website. Android.Pjapps has a preference of which browser to use, checking for the presence of the following browsers:

com.uc.browser
com.tencent.mtt
com.opera.mini.android
mobi.mgeek.TunnyBrowser
com.skyfire.browser
com.kolbysoft.steel
com.android.browser
android.paojiao.cn
ct2.paojiao.cn
g3g3.cn

mark- The mark command is used to add bookmarks to the compromised device. When the service is first launched, Android.Pjapps may also, by default, add the following bookmarks to the device:

xbox- This command has been found in Android.Pjapps parsing code but it seems to be unimplemented.

PirateText

Name PirateText
Category
Release Date 2011/04/01
Update Number 1

PirateText is a pirated version of a top rated Android application named "Walk and Text". The official developers of "Walk and Text" released a new version of their application to the Android Market and within hours it was pirated from the Market and had malicious code grafted into the package and was redistributed as the legitimate version in third part application stores.

The version that was pirated from the Market was version 1.3.6. The current Market version is 1.5.3. The version that has the malicious code is version 1.3.7. As far as we can tell, version 1.3.7 is not an official update to the legitimate application that was pushed out from Incorporate Apps. It looks like version 1.3.7 that exists is actually version 1.3.6 with malicious code written in and was subsequently signed with a different self-signed certificate than the one used by Incorporate Apps. This is a good indication that someone else repackaged this application because they did not have access to the legitimate certificate from the original developer.

The malicious “Walk and Text v1.3.7″ application appears to function normally to the user. However, in the background it sends an SMS message to all of the device’s contacts with the following message:

“Hey,just downlaoded a pirated App off the Internet, Walk and Text for Android. Im stupid and cheap,it costed only 1 buck.Don\’t steal like I did!”

“Walk and Text v1.3.7″ does not do anything other than send annoying SMS messages to the device’s contacts. The nature of the SMS message that is sent would indicate that someone wanted to make a point that downloading pirated applications is unethical, but the method they used is just as unethical.

Plankton

Name Plankton
Category
Release Date 2011/06/07
Update Number 1

Plankton is Android malware that arrives as a pirated, trojanized application. Plankton was originally identified by researchers at North Carolina State University, where they found that Plankton infected apps exploit a Dalvik class loading capability that is able to run stealthily on the Android device.

Once an infected app is loaded onto the mobile device, the malware adds a background service that initiates itself upon execution of the application. This background service is capable of collecting identifying information such as the IMEI from infected Android devices, and gathers the list of permissions that were requested by the host application and sends them off to a remote server.

Once the server has received this information, it sends back a URL for the on-device malware to reach out to, to retrieve a .jar file that automatically loads itself and enables botnet-like functionality on the infected Android device. The downloaded .jar file also goes on to retrieve information such as browser history and bookmarks, dumps the devices adb log, and is capable of capturing account credentials stored on the device.

SMSBomber

Name SMSBomber
Category
Release Date 2011/04/01
Update Number 1

SMSBomber is a simple SMS bomb application developed for Android devices. It attempts to flood a remote Android device with so many SMS messages that it adversely affects the recipients ability to send and receive SMS messages.

SMSReplicator

Name SMSReplicator
Category
Release Date 2011/04/01
Update Number 1

SMS Replicator comes in two versions. The nefarious version is named “Secret SMS Replicators” and the non-nefarious version is named “SMS Replicator. Both applications were developed and published to the Android Market by DLP Mobile, who normally develops applications for the iPhone. Both versions of SMS Replicator allow an attacker to configure the application to foward SMS messages destined to and coming from the infected device to a phone of their choice for monitoring purposes. The only difference between the two applications is that the “secret” version hides itself from detection by the user by providing no application icon or interface that is accessible, unless a specially crafted SMS message is sent to the infected device. Both applications look the exact same, once inside the application interface

Both versions of the SMS Replicator application were released to the Anroid Market, but the “Secret SMS Replicator” was removed from the Market for violating the terms of service of the Market for explicitly marketing itself as a spyware application designed to potentially violate the privacy of an unsuspecting user. ”Secret SMS Replicator” is still available for purchase from 3rd party sources, outside of the Android Market.

“Secret SMS Replicator” has the following package name:

com.dlp.SMSReplicatorSecret

“SMS Replicator” has the following package name:

com.dlp.SMSReplicator

Both application request the following Android permissions upon installation:

android.permission.SEND_SMS
android.permission.RECEIVE_SMS
android.permission.READ_CONTACTS

Both variants of SMS Replicator requires that an attacker gain physical access to a target device in order to install the spyware application.

SMSReplicatorSecret

Name SMSReplicatorSecret
Category
Release Date 2011/04/01
Update Number 1

SMS Replicator comes in two versions. The nefarious version is named “Secret SMS Replicators” and the non-nefarious version is named “SMS Replicator. Both applications were developed and published to the Android Market by DLP Mobile, who normally develops applications for the iPhone. Both versions of SMS Replicator allow an attacker to configure the application to foward SMS messages destined to and coming from the infected device to a phone of their choice for monitoring purposes. The only difference between the two applications is that the “secret” version hides itself from detection by the user by providing no application icon or interface that is accessible, unless a specially crafted SMS message is sent to the infected device. Both applications look the exact same, once inside the application interface

Both versions of the SMS Replicator application were released to the Anroid Market, but the “Secret SMS Replicator” was removed from the Market for violating the terms of service of the Market for explicitly marketing itself as a spyware application designed to potentially violate the privacy of an unsuspecting user. ”Secret SMS Replicator” is still available for purchase from 3rd party sources, outside of the Android Market.

“Secret SMS Replicator” has the following package name:

com.dlp.SMSReplicatorSecret

“SMS Replicator” has the following package name:

com.dlp.SMSReplicator

Both application request the following Android permissions upon installation:

android.permission.SEND_SMS
android.permission.RECEIVE_SMS
android.permission.READ_CONTACTS

Both variants of SMS Replicator requires that an attacker gain physical access to a target device in order to install the spyware application.

SMSSpyFree

Name SMSSpyFree
Category
Release Date 2011/04/01
Update Number 1

SMS Spy Free is a trial version of the paid app SMS Spy Pro. SMS Spy Free captures SMS messages and silently emails them to a pre-configured email address as a means to spy on the communication of an unsuspecting user. SMS Spy Free masquerades as a a "Tip Calculator" and was found on the official Android Market.

Because SMS Spy Free actively attempts to hide itself and its intentions, by masquerading as a "Tip Calculator", it provides the opportunity for an unauthorized user to spy on the communications on an unsuspecting user. As such, it is categorized as non-commercial spyware.

SMSSpyPro

Name SMSSpyPro
Category
Release Date 2011/04/01
Update Number 1

SMS Spy Pro is non-commercial spyware targeting Android devices that captures SMS messages and silently emails them to a pre-configured email address as a means to spy on the communication of an unsuspecting user. SMS Spy Pro masquerades as a a "Tip Calculator" and was found on the official Android Market.

Because SMS Spy Pro actively attempts to hide itself and its intentions, by masquerading as a "Tip Calculator", it provides the opportunity for an unauthorized user to spy on the communications on an unsuspecting user. As such, it is categorized as non-commercial spyware.

SkypwnedPOC

Name SkypwnedPOC
Category
Release Date 2011/04/15
Update Number 1

Skypwned is a proof-of-concept (POC) application that was developed specifically to illustrate the capabilities of exploiting a vulnerability in Skype for Android. Skypwned POC is not overtly malicious, but should still be removed from a device if it is detected.

SndApps

Name SndApps
Category
Release Date 2011/07/18
Update Number 1

SndApps is Android malware that arrives in applications that appear to be games for Android devices. SndApps accesses various types of device identifying information and forwards it on to a remote server. The following information is accessed and transmitted:

- Carrier/Service Provider
- Country Code
- Device ID/IMEI Number
- Email Addresses Associated with the Device
- Phone Number

SndApps infected applications do not appear to have been repacked from legitimate developers. In this case, it appears that the same developers that created the original applications, came back at a later date and included the malicious code in subsequent versions of the applications. These apps were initially detected in the official Android Market, but have since been removed.

SpyEye

Name SpyEye
Category
Release Date 2011/09/28
Update Number 39

SPITMO/SpyEye is Android malware that affects users who’s PC is infected with the PC malware SpyEye. When a user of an infected PC browses to their online banking site, SpyEye is capable of injecting content into the bank’s pages that attempts to trick the user in to believing that the bank is asking for their mobile device phone number in order to facilitate out-of-band authentication using mTan messages. mTan message are one-time codes sent from a bank to a mobile user’s device to be used for authentication when logging into their online bank website.

Once SpyEye has retrieved the user’s mobile device number, the user is told, through injected content, that it will become necessary for them to download a “certificate” to allow the mTan authentications to be properly verified on the device. In reality, the user has provided SpyEye with the mobile device’s phone number and will be tricked into installing the SpyEye mobile spyware application that will monitor and capture the mTan numbers sent from the banking institution.

SpyEye is configured to be able to determine these mTan numbers that come into the device over SMS and will then send them off to a 3rd party server to be used by the attackers to gain access to the victim’s online bank website.

TapSnake-GPSSpy

Name TapSnake-GPSSpy
Category
Release Date 2011/04/01
Update Number 1

GPS Spy comes in two separate pieces for the spyware functionality to work correctly. On the victim’s device, the attacker would download and install the “Tap Snake” game either form the Android Market or by ADB push to the device. Once installed, the first execution of the “Tap Snake” game would provide the attacker with the configuration interface necessary to setup the appropriate credentials that will be used in order to access the GPS location data that is being sent to an offsite webserver ever 15 minutes. Every subsequent execution of the “Tap Snake” application would look and feel exactly like a snake game that the user would play, without knowing that the application is gathering and transmitting their current location every 15 minutes. Details of the “Tap Snake” game are available here

On the Attacker’s device, the attacker would simply download and install the “GPS Spy” application to their device. Once installed, executing the “GPS Spy” application and entering the corresponding credentials will allow the GPS Spy application to sync up with the location servers where the attacker can track the movements of the victim’s handset over a 24 hour period. The GPS Spy application portion of the spyware costs $4.99. Details of the “GPS Spy” application can be found here

Trojan-SMS.AndroidOS.FakeInst.a1

Name Trojan-SMS.AndroidOS.FakeInst.a1
Category
Release Date 2012/01/25
Update Number 47

Android.FakeInst is a SMS-Trojan that sends SMS messages to premium rate phone numbers. It also collects device information and communicates it to a remote server. It is found to be hosted on the Third-party app stores. This Trojan informs the user that they will need to send three premium rate text messages to download an application, which in most cases is available for free on the official Android Market or other app stores.

Trojan-SMS.AndroidOS.Opfake-1

Name Trojan-SMS.AndroidOS.Opfake-1
Category
Release Date 2012/01/25
Update Number 47

Trojan-SMS.AndroidOS.Opfake is a SMS Trojan application that affects Android devices. It sends SMS messages to premium rate numbers. Additionally, it collects device identifying information and sends it to a remote server.

When the trojan is installed, it displays a message box that alerts the user that they must send SMS messages to activate the product. If they click "Agree", it sends an SMS message to the number "5537".

It then collects and transmits the following information:

- Device IMEI
- Package Name
- Phone Number
- Phone Model

Weatherfist

Name Weatherfist
Category
Release Date 2011/04/01
Update Number 1

Weatherfist was a Proof-of-concept application that was developed as a part of the MOBOTS presentation at the 2010 RSA Security conference. Researchers attempted to determine if the typical “phone home” characteristics of a botnet infected device would be able to function in the Android and iPhone platforms. In doing so, the researchers developed a “weather” application that, instead of using a zip code for location, sent the device’s GPS location back to the “weather” servers. This capability illustrated that applications in Android and iPhone platforms are certainly able to communicate with 3rd party servers, assuming the users either accepted the permission for it to do so or they could slip the code past the App Store review process. The proof-of-concept revealed that there were nearly 700 unique Android downloads and 7,700 unique iPhone downloads of the application. The proof-of-concept applications that were publicly distributed did not collect any type of personal data, nor did it allow any type of remote access or command and control functionality that is common among botnets. The research team did, however, develop an additional application that was never publicly released and named “WeatherFistBadMonkey” that did contain the same command and control functionality of a regular botnet. Again, this version of the proof-of-concept was never publicly released. WeatherFist was not, in any way, a trojan or backdoor application and it could easily be deleted from the device by normal means.

YZHCSMS

Name YZHCSMS
Category
Release Date 2011/06/06
Update Number 1

YZHCSMS is an Android Trojan application comes with the package name ‘com.ppxiu’ from the developer ‘Gengine‘. The application no longer appears to be available in the Android Market, but is still being offered in third-party stores in Asia. Appearing to target Asian markets only, the malware called ‘YZHCSMS’ begins its operations by reaching out to an offline website to obtain a list of premium rate numbers (a short code number that you send SMS messages to—much like when voting on American Idol) to begin sending SMS messages that all begin with ‘YZHC’.

Combining the premium rate numbers that are retrieved from the web server with a list of hardcoded numbers, ’YZHCSMS’ sends an SMS/text message every 50 minutes to the target, costing the user varying amounts of money per message depending on their rate plan. The SMS Trojan runs as a background thread that is kicked off when the device boots up or upon execution of the infected application.

Along with its ability to run as a background thread, the YZHCSMS SMS Trojan attempts to further obfuscate its true nature by deleting any SMS messages it has sent as well as trying to delete any SMS billing messages that may be received as a result of the premium message it just sent.

Some variants of this SMS Trojan only have the ability to remove messages that are related to the numbers that were hardcoded into the malware, while others attempt to remove messages related to the numbers retrieved from the offline server.

Our analysis of at least one of the variants indicates that the following numbers have been hardcoded into the different variants of ‘YZHCSMS’:

1000
10000
10086
100086
123456
617915
19000101
19860102
19861119
91316005
91316007
101011101
12345678911
1065800885566
052714034192100013309
1240000089393100527140341001

The following numbers exist in the ‘mmssender’ class:

052714034192100013309
10086
1240000089393100527140341001

At least one variant appears to intercept messages related to the following hardcoded numbers, via the ‘SMSObserver’ class:

10086
1065800885566
At this time, it is unclear whether these premium rate numbers will work outside of Asian markets. The Android Market data indicates that this application has only been downloaded an estimated 500 times.

ZSoneSMSTrojan-1

Name ZSoneSMSTrojan-1
Category
Release Date 2011/04/01
Update Number 1

ZSone SMS Trojan is a series of pirated, trojanized applications that affect Android devices. A developer by the name of “Zsone” published 13 of these applications, some of which utilize SMS communication to fraudulently register the unsuspecting user’s device to premium services in China.

Of the apps that have been analyzed, 11 of the 13 are known to operate in this fashion, using various premium rate numbers to register the device. Chinese users that are affected by these malicious applications may notice unsolicited charges to their mobile accounts due to their device being registered for these premium services.

These malicious applications that have been identified from developer “Zsone” are as follows:

LoveBaby
iBook
iCartoon
Sea Ball
iCalendar
3D Cube horror terriblei
ShakeBanger
iMatch 对对碰
Shake Break
iSMS
iMine

The above mentioned applications are known to be communicating with the following premium rate numbers that will ONLY work inside of Chinese mobile networks:

10086
1066185829
10000
10010
1066133
10655133
10621900
10626213
106691819
10665123085
10621900

In many cases, the SMS messages sent to register the device with premium services contains a special code in the body of the message to facilitate the registration of the device to the service, such as:

M6307AHD
aAHD
95pAHD
58#28AHD
YXX1
921X1

As previously stated, the premium services that these malicious applications attempt to register mobile accounts for will ONLY work inside of Chinese mobile networks. Users outside of Chinese networks will not be affected with any charges to their account due to any messages their infected device may attempt to send.

Zitmo_Android

Name Zitmo_Android
Category
Release Date 2011/07/08
Update Number 1

SPITMO/SpyEye is Android malware that affects users who’s PC is infected with the PC malware SpyEye. When a user of an infected PC browses to their online banking site, SpyEye is capable of injecting content into the bank’s pages that attempts to trick the user in to believing that the bank is asking for their mobile device phone number in order to facilitate out-of-band authentication using mTan messages. mTan message are one-time codes sent from a bank to a mobile user’s device to be used for authentication when logging into their online bank website.

Once SpyEye has retrieved the user’s mobile device number, the user is told, through injected content, that it will become necessary for them to download a “certificate” to allow the mTan authentications to be properly verified on the device. In reality, the user has provided SpyEye with the mobile device’s phone number and will be tricked into installing the SpyEye mobile spyware application that will monitor and capture the mTan numbers sent from the banking institution.

SpyEye is configured to be able to determine these mTan numbers that come into the device over SMS and will then send them off to a 3rd party server to be used by the attackers to gain access to the victim’s online bank website.

com.blitzforce.massada

Name com.blitzforce.massada
Category
Release Date 2011/04/01
Update Number 1

"com.blitzforce.massada" represents the package name of what appears to be proof of concept (POC) malware from the Blitz Force Massada group of the University of Electronic Science and Technology of China that targeted Android devices. As POC, com.blitzforce.massada does not appear to have been created to cause damage, only to show capabilities of potential malware.

Com.blitzforce.massada leverages multiple attacks to illustrate the ability to:

- Accept incoming calls without user intervention
- Causes phone to end calls without user intervention
- Turns off the device radio to prevent any incoming/outgoing calls
- Gather sensitive device information to send to remote servers

BLACKBERRY

B.Flexyspy.BB

Name B.Flexyspy.BB
Category
Release Date 2009/04/23
Update Number 1

Flexispy is a retail spyware program. It is installed by someone who has physical access to the device. Once installed it tries to hide itself by using a misleading installed app name and by not appearing in the app menu.
It is able to leak SMS messages, call info and other sensitive info to a server for inspection by the spy.
Some versions are able to leak room conversations to the spy.

J2ME

J.Etisalat.A.un

Name J.Etisalat.A.un
Category
Release Date 2009/07/15
Update Number 1

Etisalat.A[MA] is a spyware application that was WAP pushed to BlackBerry subscribers of the Etisalat network in the United Arab Emerites (UAE) as an approved performance patch that was described as a fix to network problems users had experienced the previous few weeks. The true nature of the spyware is to intercept BlackBerry user's email messages and forward the messages to a monitoring agent inside the Etisalat network. The patch was delivered in both .jar and .cod form. The .jar file contains the following classes:

 

META-INF/
META-INF/MANIFEST.MF
Registration.cod
Registration.csl
Registration.cso
com/
com/ss8/
com/ss8/interceptor
com/ss8/interceptor/app/
com/ss8/interceptor/app/Commands.class
com/ss8/interceptor/app/Constants.class
com/ss8/interceptor/app/Log.class
com/ss8/interceptor/app/Main$1.class
com/ss8/interceptor/app/Main.class
com/ss8/interceptor/app/MsgOut.class
com/ss8/interceptor/app/Recv.class
com/ss8/interceptor/app/Send.class
com/ss8/interceptor/app/StatusChange.class<
com/ss8/interceptor/app/Transmit.class
com/ss8/interceptor/tcp/
com/ss8/interceptor/tcp/HTTPDeliver.class
com/ss8/interceptor/tcp/smtp/
com/ss8/interceptor/tcp/smtp/SMTPHeader.class
com/ss8/interceptor/tcp/SocketBase.class
Interceptor.class

The included classes allow the application to hook into folder updates, message store, outbound messages, and radio events:
-The Recv.class allows the application to monitor for inbound messages by implementing net.rim.blackberry.api.mail.event.FolderListener and net.rim.blackberry.api.mail.event.StoreListener

-The Send.class allows the application to monitor outbound messages, though it's only used to forward messags on later, by implementing net.rim.blackberry.api.mail.event.FolderListener and net.rim.blackberry.api.mail.SendListener.

- The StatusChange.class allows the application to monitor radio events such as a change of network. It removes and re-registers the Recv listener when certain network changes occur.

 

version:4.91
Copyright message
Time and Date
Pin no.
Phone No
IMEI
IMSI
Serial No:
Device Name:
Device Manufacture
Platform Version
Reason: Which can be either "Service change" or "Network Started"
State: Is device running ot stopped.

These commands are available in Commands.java which calls the MsgOut constructor and passes the message to MsgOut.java. An additional message is sent to the registration server with the following information:

version:4.91
Time and Date

After registration has occurred, the application will remain inactive until a "start" command is received from the controlling agent. This command email will be immediately deleted. There are a possible four commands (version, bCkp, start, stop), which are encrypted.

Once the appliation has been activated, it will listen for email messages. When a message is received the Recv class inspects the message to determine if it contains one of the 4 possible embedded commands. If it does not, it UTF-8 encodes the message, GZIP's it, AES encrypts the message using a static key of "EtisalatIsAProviderForBlackBerry", then Base64 encodes the whole thing. The message will then be forwarded via an HTTP Post to http://10.116.3.99:7095/bbupgr. The following information is included in the message being sent to the controlling agent:

Message Subject
Body of the Message
From Address
To Address

It is assumed that the receiving HTTP server will then construct an email and forward the received information to the following email addresses:
regbb@etisalat.ae
etisalat_upgr@etisalat.ae

 

 

SYMB-3

S.Album.a

Name S.Album.a
Category
Release Date 2010/07/20
Update Number 1

Album arrives as link in SMS message, which downloads a malware SISX file, which sends more SMSs. Variants of this family are Symbian Signed and the signing certificates were issued to Shenzhen ZhongXunTianCheng Technology.

This malware collects phone numbers from the device. It uses these to send out more spam SMS messages and so reproduce. Unlike the similar Yxes trojan Album uses a third party library to send SMS messages. This results in the SMS messages not appearing in the user's sent messages. These messages can reduce battery life and incur SMS charges.

It also collects device information and sends it to a remote server.

In an attempt to prevent being uninstalled, it disables certain device programs, most notably the Application Manager.

Users discovered that beginning to reinstall the infected SISX would cause its running process to be killed (so that the app can be overwritten), and access to the Application Manager could then be regained if the reinstall was terminated at the right time.

S.EicarSymb

Name S.EicarSymb
Category
Release Date 2011/11/01
Update Number 37

EICAR ANTI-VIRUS TEST APPLICATION
THIS APP IS NOT HARMFUL. IT WILL NOT HARM YOUR DEVICE IN ANY WAY.

This application is not malicious: it does not read your data, access the internet, or create any files. It does not run in the background, start automatically, or do anything at all other than display a message.

It does, however, contain some text, created by the European Institute for Computer Antivirus Research (EICAR), which is designed to be safely detected by all anti-virus products as a virus, so that people can test their anti-virus applications to see if they're working correctly, without having to actually infect their devices with a real virus or other malware.

To make it absolutely clear - this app is completely harmless, but should be detected as a virus. This is its entire purpose. If you run an anti-virus app on your phone, it should detect this app as a virus when you install it.

For further details please search for "EICAR test file" on Wikipedia or visit EICAR's website itself at eicar.org.

S.FlexiSpy.gen4

Name S.FlexiSpy.gen4
Category
Release Date 2011/01/07
Update Number 1

FlexiSpy is a Symbian OS based trojan that records phone calls and SMS messages and sends them to a remote server. It is meant to be an actual application that is designed for this purpose. But it runs stealthily without an indication of its purpose and hence is classified as a trojan. FlexiSpy comes in several different packages with escalating feature sets that are supported.

The full feature set is as follows:

Remote Listening
Control Phone By SMS
SMS and Email Logging
Call History Logging
Location Tracking
Call Interception
GPS Tracking
Shield
Black List
White List
Web Support
Secure Login
View Report
Advanced Searches
Download Report
Special Features
SIM Change Notification
GPRS Capability Required
Listen to Recorded Conversation

S.Lopsoy.e

Name S.Lopsoy.e
Category
Release Date 2010/08/09
Update Number 1

Lopsoy is an SMS trojan that has the ability to send SMS messages to premium rate SMS numbers, syphoning funds out of the device’s mobile account. Lopsoy is often accompanied by a file named PremiumSMSTroy.exe and has been known to arrive in the following Symbian packages:

- Stalker_s60.sis
- Virtual_Hottie_3D_Mobile_s40.sis
- Virtual_Hottie_3D_Mobile_s60.sis
- bluetooth_hack2_symbian7-8_s40.sis
- bluetooth_hack2_symbian9_s60.sis
- file17_symbian7-8.sis
- file17_symbian9.sis
- file28_symbian9.sis

Several variants of the Lopsoy SMS trojan are known to exist. variants a, b, and c are strictly 3rd edition Symbian threats, while variant d is 2nd edition. all variants are detected by the S.lopsoy.gen(drs) signature.

S.Lopsoy.f

Name S.Lopsoy.f
Category
Release Date 2011/09/07
Update Number 7

Lopsoy is an SMS trojan that has the ability to send SMS messages to premium rate SMS numbers, syphoning funds out of the device’s mobile account. Lopsoy is often accompanied by a file named PremiumSMSTroy.exe and has been known to arrive in the following Symbian packages:

- Stalker_s60.sis
- Virtual_Hottie_3D_Mobile_s40.sis
- Virtual_Hottie_3D_Mobile_s60.sis
- bluetooth_hack2_symbian7-8_s40.sis
- bluetooth_hack2_symbian9_s60.sis
- file17_symbian7-8.sis
- file17_symbian9.sis
- file28_symbian9.sis

Several variants of the Lopsoy SMS trojan are known to exist. variants a, b, and c are strictly 3rd edition Symbian threats, while variant d is 2nd edition. all variants are detected by the S.lopsoy.gen(drs) signature.

S.NeoCall.gen

Name S.NeoCall.gen
Category
Release Date 2011/01/07
Update Number 1

NeoCall originated as a Symbian spyware application that grants an attacker the ablity to perform the following spying tasks on an unsuspecting user:

- Neo-Control: allow users to control the phone with NeoCall software
- Neo-Setup: configure the target phone using a practical menu tool
- Neo-Suite 2k8: this is a program set for Symbian 9 phones and merges the main applications in a single software.
- Neo-Phone: listen-in on all surrounding sounds and conversations – Nokia 6600, 6670, 7610
- Neo-Phone2: listen-in on all surrounding sounds and conversations – phone cells Symbian 7/8 and 9
- Neo-Interceptor: listen to both incoming and outgoing calls
- Neo-Sms: sms forwarding
- Neo-Log & Email: record info in the phone memory and sends them by Bluetooth or Email
- Neo-List: list of the phone calls
- Neo-Trax: localization by BTS cells
- Neo-GPS: localization by GPS coordinates
- Neo-Brand: installation personalized
- Neo-Contact: contact management
- Neo-Virtual SMS: SMS forwarding with personalized sender
- Neo-Sim: sim data
- Neo-Record: conversation audio recording
- Neo-SMSInstall: installation by SMS

The attacker controls the NeoCall instance running on the target device by sending SMS commands to the target handset in order to retrieve the requested data.

NeoCall can only be installed on a target device by an attacker who gains physical access to the handset.

S.Photoview.a

Name S.Photoview.a
Category
Release Date 2010/09/28
Update Number 1

Cell Phone recon spyware is a commercial spyware application that runs in every major Smartphone platform, except iPhone. Cell Phone Recon hides itself on each of the affected platforms by not providing an application icon to the user. However, Cell Phone Recon does exist in application lists as “PhotoViewer”. Cell Phone Recon offers the following spying capabilities:

- Monitor all incoming/outgoing SMS messages
- View content on sent and received emails
- Logs all incoming/outgoing/missed calls
- Monitor & track location of the mobile phone
- View HTML email content including embedded images

In order for an attacker to monitor the location and communications of a particular device, Cell Phone Recon offers an admin website to facilitate monitoring. Detailed instructions and information for Cell Phone Recon can be found here.

S.Spitmo.a

Name S.Spitmo.a
Category
Release Date 2011/05/19
Update Number 1

SPITMO/SpyEye affects users who’s PC is infected with the PC malware SpyEye. When a user of an infected PC browses to their online banking site, SpyEye is capable of injecting content into the bank’s pages that attempts to trick the user in to believing that the bank is asking for their mobile device phone number in order to facilitate out-of-band authentication using mTan messages. mTan message are one-time codes sent from a bank to a mobile user’s device to be used for authentication when logging into their online bank website.

Once SpyEye has retrieved the user’s mobile device number, the user is told, through injected content, that it will become necessary for them to download a “certificate” to allow the mTan authentications to be properly verified on the device. In reality, the user has provided SpyEye with the mobile device’s phone number and will be tricked into installing the SpyEye mobile spyware application that will monitor and capture the mTan numbers sent from the banking institution.

SpyEye is configured to be able to determine these mTan numbers that come into the device over SMS and will then send them off to a 3rd party server to be used by the attackers to gain access to the victim’s online bank website.

S.Upadapter.gen

Name S.Upadapter.gen
Category
Release Date 2010/12/06
Update Number 1

S.Upadapter.o(drs) appears to be a member of the AVK.Dumx.A family of trojans affecting Symbian devices. It has been reported that this particular sample has been spreading through China, infecting over a million devices. Once infected, Upadapter is very loud in its efforts to send an SMS message to every number in the device’s contact list with a URL to download the package and connects back to a master server where it sends information about the infected device. It is likely that this information will be used in the future to send commands to infected devices over SMS.

In addition to sending SMS messages and placing unauthorized calls to premium rate numbers, transferring money from the owner’s mobile account, Upadapter is similar to some of the more advanced PC malware in that it attempts to disable Anti-Virus applications that might be running on the handset.

Removal of Upadapter is very tricky, often times requiring a hard reset of the device that will cause the user to lose all personal data when it is returned to factory defaults.

S.Yxes.i

Name S.Yxes.i
Category
Release Date 2010/08/09
Update Number 1

Yxe arrives as link in SMS message, which downloads malware, which sends more SMSs. Variants of this family are Symbian Signed to be able to run on Third Edition devices. The signing certificates were issued to XiaMen Jinlonghuatian or ShenZhen ChenGuangWuXian.

An SMS spam message arrives with a link to one of:

http://www.wwqx-mot.com/game
http://www.wwqx-sun.com/game
http://www.wwqx-cyw.com/game

All these addresses are now disabled. These messages promote that a game could be downloaded, instead, one of these signed SISX files would be downloaded:

sexy.sisx (installs boothelper.exe)
beauty.sisx (installs EConServer.exe)
beauty_new.sisx (installs a different EConServer.exe).

This malware, which is only able to run on S60 Third Edition devices, collects phone numbers from the device. It uses these to send out more spam SMS messages and so reproduce. Sent messages are deleted from the mailbox. These messages can reduce battery life and incur SMS charges.

It also collects device information and sends it to a remote server.

In an attempt to prevent being uninstalled, it disables certain device programs, most notably the Application Manager.

Users discovered that beginning to reinstall the infected SISX would cause its running process to be killed (so that the app can be overwritten), and access to the Application Manager could then be regained if the reinstall was terminated at the right time.

S.Zitmo.a

Name S.Zitmo.a
Category
Release Date 2010/09/28
Update Number 1

Zitmo is a trojan application that affects Symbian and BlackBerry devices in order to assist the Windows trojan ZeuS in stealing online banking credentials.
Zitmo is the first mobile trojan application that works in conjunction with a Windows trojan, ZeuS, that has been successfully stealing the login credentials for victim's online banking websites. The Zitmo portion of the attack attempts to monitor SMS communications of infected devices in order to intercept SMS authentication messages from the victim's bank.
Many financial institutions have begun implementing out-of-band authentication methods as a means to protect their customers from fraud and identity theft. One of the methods that have been implemented is for the bank to send the customer an SMS message to their mobile device that would contain pieces of information necessary to successfully log into their online banking website to conduct financial transactions and business.
Zitmo could possibly arrive on the target mobile device after any number of possible social engineering attacks designed to trick the user into divulging their phone number and/or device model. The ultimate goal would be for ZeuS to be able to trick the user into installing an application on their device that could be portrayed as a "security certificate" or other means to validate communication with the bank. Once Zitmo is installed, any SMS message that gets sent to the device could be captured by the trojan, in the hopes that these mTAN's, Mobile Transaction Authentication Numbers, are contained in the captured SMS messages.
Currently, mTAN's are used for authentication in mostly European countries, so there is some segregation in technology, based upon geographical area that could render this attack fruitless.

WINCE

W.1Eicar Test Signature

Name W.1Eicar Test Signature
Category
Release Date 2008/03/11
Update Number 1

EICAR ANTI-VIRUS TEST APPLICATION THIS APP IS NOT HARMFUL. IT WILL NOT HARM YOUR DEVICE IN ANY WAY. This app simply displays a message similar to this one and nothing more. It requires no permissions on installation. It does not read your data, access the internet, or create any files. It does not run in the background, start automatically, or do anything at all other than display a message. It does, however, contain some text, created by the European Institute for Computer Antivirus Research (EICAR), which is designed to be safely detected by all anti-virus products as a virus, so that people can test their anti-virus applications to see if they're working correctly, without having to actually infect their devices with a real virus or other malware. To make it absolutely clear - this app is completely harmless, but should be detected as a virus. This is its entire purpose. If you run an anti-virus app on your phone, it should detect this app as a virus when you install it. For further details please search for "EICAR test file" on Wikipedia or visit EICAR's website itself at eicar.org.

W.Abcmag.a

Name W.Abcmag.a
Category
Release Date 2011/09/07
Update Number 7

Pretends to be various apps like Cake Mania Celebrity Chef and The Simpsons Arcade but is really an SMS Trojan, sending premium SMS messages for the purpose of transferring funds from the user.

W.AutoR.gen

Name W.AutoR.gen
Category
Release Date 2010/03/24
Update Number 1

A malicious Autorun.inf file that is placed in the root folder of a removable drive, usually a flash drive. When the drive is inserted in a Windows computer, it presents a menu that looks like it will open the drive as a folder, but which really runs a malicious program.

W.Autorun.gen2

Name W.Autorun.gen2
Category
Release Date 2010/06/04
Update Number 1

A malicious Autorun.inf file that is placed in the root folder of a removable drive, usually a flash drive. When the drive is inserted in a Windows computer, it presents a menu that looks like it will open the drive as a folder, but which really runs a malicious program.

W.BopSmiley.gen

Name W.BopSmiley.gen
Category
Release Date 2009/10/02
Update Number 1

MobileSpy is a retail spyware program which leaks SMS messages and call info to another phone via SMS messages.

Detailed Information: BopSmiley arrives on the devices as a CAB file named MobileSpy. Once it has been installed and executed, BopSmiley is known to drop several files and make registry changes to the device:
\Program Files\Smartphone\Smartphone.exe
\Program Files\Smartphone\OpenNETCF.Net.dll
\Program Files\Smartphone\OpenNETCF.dll
\Program Files\Smartphone\hsmsutil.dll
It also creates the following registry keys:
HKEY_CURRENT_USER\Software\RetinaxStudios
RememberUser="0"
AutoLogin="0"
Username""
Password=""
ReportTime="0"
In order to execute the smartphone.exe, the attacker would need physical access and would need to configure the spyware in order to enable the interception of phone calls and SMS messages.

W.Brador.A

Name W.Brador.A
Category
Release Date 2008/03/11
Update Number 1

Brador.A is a backdoor that only affects PDA devices with a Windows CE (Pocket PC versions 2000,2002 and 2003) operating system installed. Brador.A opens a port and sends an e-mail message to its author in order to notify that the affected PDA is accessible through the opened port.
Brador copies itself into the Startup folder. It then mails the IP address of the PDA to the backdoor author and starts listening to commands on a TCP port. The hacker can then connect into to the PDA via TCP port and control the PDA through the backdoor.

W.Creeper.gen

Name W.Creeper.gen
Category
Release Date 2010/10/15
Update Number 1

This is a phone espionage suite.
It can be silently installed by just inserting an sd card with the infector files on it.
The program does not show up under installed programs or running programs and allows for an array of features. Phones running this software can be remotely controled by sms text messages. All commands will be silently received and deleted immediately and results will be SMSed back to sender.

W.Cyppy.gen

Name W.Cyppy.gen
Category
Release Date 2009/08/06
Update Number 1

An SMS Trojan that tries to send 100 premium SMS messages to 8055, thus transferring funds from the user's account. This SMS address is not valid in many countries.

W.Duts.A

Name W.Duts.A
Category
Release Date 2008/03/11
Update Number 1

Duts is a proof of concept virus for Pocket PC.

Duts.A is a virus that only infects executable files with an EXE extension in those platforms with a Windows Mobile operating system installed. In order to do so,Duts.A creates a copy of its code in the last section of the EXE file,and then redirects the point of entry to that code.
It infects all the executable files in the system above a certain length and patches the entry point so that the virus code is executed when these executables are used.

W.FlxSpy

Name W.FlxSpy
Category
Release Date 2008/04/29
Update Number 1

Flexispy is a retail spyware program. It is installed by someone who has physical access to the device. Once installed it tries to hide itself by using a misleading installed app name and by not appearing in the app menu.
It is able to leak SMS messages, call info and other sensitive info to a server for inspection by the spy.
Some versions are able to leak room conversations to the spy.

W.FxSpFp

Name W.FxSpFp
Category
Release Date 2008/04/29
Update Number 1

Flexispy is a retail spyware program. It is installed by someone who has physical access to the device. Once installed it tries to hide itself by using a misleading installed app name and by not appearing in the app menu.
It is able to leak SMS messages, call info and other sensitive info to a server for inspection by the spy.
Some versions are able to leak room conversations to the spy.

W.FxSpVp

Name W.FxSpVp
Category
Release Date 2008/04/29
Update Number 1

Flexispy is a retail spyware program. It is installed by someone who has physical access to the device. Once installed it tries to hide itself by using a misleading installed app name and by not appearing in the app menu.
It is able to leak SMS messages, call info and other sensitive info to a server for inspection by the spy.
Some versions are able to leak room conversations to the spy.

W.Infojack.A

Name W.Infojack.A
Category
Release Date 2008/04/21
Update Number 1

Leaks sensitive info to a web site. Delivered via a "Little Games" package targeted to Chinese speakers.
Malicious component can propagate through an infected SD card.

Detailed Information: Windows CE Trojan, lowers security settings, downloads additional components. Leaks information from device to server.
Infojack was possibly created by or for the operators of mobi.xiaomeiti.com, which has since been shut down by the Chinese government. It's purpose seemed to begin with collecting device information from Chinese language Pocket PC devices, but included the capability of silently upgrading itself with a new download. It tries to preserve itself from disinfection by restoring itself from backup files. It also spreads itself through memory cards. It also changes the home page of the device's web browser. The infection is installed with legitimate programs: Chinese Google Maps, a stock trading program, and (most usually) a package of ten small games.

W.LBooter.a

Name W.LBooter.a
Category
Release Date 2010/08/16
Update Number 1

A version of the HeRET Linux booter that will prevent the device from properly rebooting. Installed via a Trojan.

W.Levar.a

Name W.Levar.a
Category
Release Date 2011/05/19
Update Number 1

Pretends to be an AV program but is really an SMS Trojan.

W.Luanch.a

Name W.Luanch.a
Category
Release Date 2010/08/16
Update Number 1

Pretends to be a power manager, launcher or other app, but is really an SMS Trojan, sending premium SMS messages to drain funds from the user's account.

W.MobUn.a

Name W.MobUn.a
Category
Release Date 2011/09/07
Update Number 7

Attempts to install itself so that it runs on every startup. Sends SMS messages to premium numbers to drain funds from the user's account. Attempts to download and install later version of itself.

W.PMCrypt.gen

Name W.PMCrypt.gen
Category
Release Date 2010/08/20
Update Number 1

Denial of Service and Fee Fraud

Detailed Information: WinCE.PMCryptic.a is a mobile device worm that affects Windows Mobile devices. This worm propagates via memory cards and has appeared in several different forms, making some believe it may be polymorphic in nature. it arrives as an executable disguised using a folder icon to trick the user into believing it is harmless to execute. Once it is executed it drops files into the root of the devices directory structure and then executes one of the dropped files. When the dropped file is executed, it starts 5 different threads that perform the following functions:
-Initiates phone calls to premium numbers that will bill the user's account
-Diisables all input into running applications causing the phone to not respond
-Changes the system's color scheme every couple of seconds, finally settling on a black-on-black color scheme that makes the device unusable.
-Searches the device for a removable media card. If one is found, it drops a copy of itself onto the media card as an autorun file that will execute if media card is inserted into another device.
-Searches the device for folders in the directory structure. It then copies the name of the folder and then sets the folder attributes to "hidden". Once it is hidden, it copies itself to the directory as the folder's name to, again, attempt to trick users into executing the "folder".

 

W.Photoview.a

Name W.Photoview.a
Category
Release Date 2010/09/28
Update Number 1

Cell Phone Recon is a multi-platform spyware application

Cell Phone recon spyware is a commercial spyware application that runs in every major Smartphone platform, except iPhone. Cell Phone Recon hides itself on each of the affected platforms by not providing an application icon to the user. However, Cell Phone Recon does exist in application lists as "PhotoViewer". Cell Phone Recon offers the following spying capabilities:

Monitor all incoming/outgoing SMS messages
View content on sent and received emails
Logs all incoming/outgoing/missed calls
Monitor & track location of the mobile phone
View HTML email content including embedded images


In order for an attacker to monitor the location and communications of a particular device, Cell Phone Recon offers an admin website to facilitate monitoring.

W.Redoc.gen

Name W.Redoc.gen
Category
Release Date 2009/05/22
Update Number 1

Redoc is an SMS Trojan

May come bundled with an otherwise valid application, which masks the operation of the Trojan. But it sends unauthorized SMS messages to a premium number.

W.Sejweek.b

Name W.Sejweek.b
Category
Release Date 2010/01/13
Update Number 1

Sejweek is an SMS trojan that accesses the Internet and sends periodic SMS messages to premium rate numbers.

WinCE/Sejweek.B is distributed in a Microsoft Cabinet archive file named as “sejweek.bin”. The following malicious components are included in the archive file:
sendservice.exe
setupdll.dll
“setupdll.dll” is a dynamic link library which is called by the Windows Mobile installation process. The malware author created this component to copy “sendservice.exe” from “\temp\” to “\windows\”. It then creates process to run WinCE/Sejweek.B at installation. “setupdll.dll” is not installed on the device.
“sendservice.exe” is Microsoft .NET executable. It requires the Microsoft .NET Compact Framework 2.0 or the later to be installed on the device.
WinCE/Sejweek.B creates the registry key HKLM\Init\Launch96 and adds its executable name as the value in order to run on boot.
WinCE/Sejweek.B checks the current time every 5 minutes. if current time is bigger than the time when last SMS was sent, and the hour of current time is greater than or equal to 11, it will connect to the URL http://[removed].com/[removed]/get.php to get its XML formatted configuration file. The file includes a phone number, message body and at which interval to send SMS messages.
The phone number and interval period are stored in an encoded format in the configuration file. After decoding the configuration values, WinCE/Sejweek.B creates the file “servicedata.dat” in the same directory as itself and stores the phone number, message text and interval period into this file.
If the server sends invalid data in “phone” elements(e.g. invalidly encoded data) . This can cause WinCE/Sejweek.B to terminate with an exception.

W.Spybub.a

Name W.Spybub.a
Category
Release Date 2010/02/24
Update Number 1

Spy Bubble is the stealth GPS tracking software. Spy Bubble is very similar to the other Android tracking applications on the market that offer "stealth" GPS tracking and various monitoring/spy features (such as Mobile Spy).

Spy Bubble may track the following activities:

GPS Location
SMS messages sent/received from the device.
View Call Logs

W.Terdial.gen

Name W.Terdial.gen
Category
Release Date 2010/07/09
Update Number 1

Terdial is a Trojan Horse application directed towards Windows Mobile devices.

Detailed Information: Terdial is a trojan horse application that comes in two distinct forms. The first masquerades as a game titled "3D Anti-terrorist action". The other version of the same trojan is titled "Codec Pack for Windows Mobile 1.0". Both application's payloads surreptitiously place calls to premium-rate phone numbers at regular intervals.

Terdial comes in the following packages:

antiterrorist3d.cab
codecpack.cab

Both packages copy an additional file to the device, under the system directory, named 'smart32.exe'.

Once a device is infected, Terdial will place calls to six different premium rate numbers at a rate of 50 seconds between calls. Newer versions of the trojan have raised the intercal to 500 seconds between calls. Following are the numbers that have been identified:

+8823460777
+17675033611
+88213213214
+25240221601
+2392283261
+881842011123
Terdial uses time intervals that are set by the following algorithms to determine when the malware will place the premium phone calls:
Time = (Day of First time execution + 3) and (Hour of First time execution - [random integer from 0-6])
For example, if the trojan was first executed on Tuesday 13 April 2010 at 1415hrs and the random integer is 4, the time bomb is set on Friday 16 April 2010 at 1015hrs.
If the application is executed again before this time bomb goes off, a second time bomb is set for the same time in the following month.
New time bomb set for later execution = (Month of execution + 1)
For example, if the second execution was triggered at Tuesday 13 April 2010 1422hrs, a new bomb will be set for the following month, Tuesday 13 May 2010 1422hrs.

 

W.Zitmo.b

Name W.Zitmo.b
Category
Release Date 2011/03/09
Update Number 1

Zitmo is a trojan application that affects devices in order to assist the Windows trojan ZeuS in stealing online banking credentials.
Zitmo is the first mobile trojan application that works in conjunction with a Windows trojan, ZeuS, that has been successfully stealing the login credentials for victim's online banking websites. The Zitmo portion of the attack attempts to monitor SMS communications of infected devices in order to intercept SMS authentication messages from the victim's bank.
Many financial institutions have begun implementing out-of-band authentication methods as a means to protect their customers from fraud and identity theft. One of the methods that have been implemented is for the bank to send the customer an SMS message to their mobile device that would contain pieces of information necessary to successfully log into their online banking website to conduct financial transactions and business.
Zitmo could possibly arrive on the target mobile device after any number of possible social engineering attacks designed to trick the user into divulging their phone number and/or device model. The ultimate goal would be for ZeuS to be able to trick the user into installing an application on their device that could be portrayed as a "security certificate" or other means to validate communication with the bank. Once Zitmo is installed, any SMS message that gets sent to the device could be captured by the trojan, in the hopes that these mTAN's, Mobile Transaction Authentication Numbers, are contained in the captured SMS messages.
Currently, mTAN's are used for authentication in mostly European countries, so there is some segregation in technology, based upon geographical area that could render this attack fruitless.

W.jxSMSSpy

Name W.jxSMSSpy
Category
Release Date 2010/10/15
Update Number 1

Retail anti-theft program which can be used maliciously to spy on a user. Installed by someone with physical access to the device.
"You can use any phone to monitor the installed software. Can also monitor information uploaded to the anti-theft tracking management site."
Leaks location, SMS messages and call info to web site.
Does not appear in App menu.
Controlled via hidden SMS messages.