Trojan Disguised as Legitimate App to Steal Information

Trojans are pieces of software that appear as legitimate applications while exhibiting malicious behavior. A Trojan may steal information and cause the software system to become unreliable. The Research Trojan package, discovered and detected by Trustlook, can be identified as having the following characteristics:

  • MD5: e62b8857bf396bff59e030c09e3a3fad
  • SHA256: 0d225fbebcd18a398849b9bc8196838219545d356b26793ca25e89587c0b239e
  • Size: 276394 bytes
  • App name: Google Update Manager
  • Package name: net.androidrc

The package icon is:

Screen Shot 2016-07-06 at 5.40.15 PM

The app runs itself as a “remote device connector” to disguise itself as a legitimate app:

Screen Shot 2016-07-06 at 5.40.27 PM

 

 

 

 

 

 

 

 

 

 

 

 

 

Once the user enters account credentials, it sends out the information to the C&C server:

Screen Shot 2016-07-06 at 5.40.48 PM

The following code snippets demonstrate how the malware constructs and sends the above request:  

Screen Shot 2016-07-06 at 5.33.05 PM

The malware attempts to collect the following information:

  • SMS message including sender name and text:

      Screen Shot 2016-07-06 at 5.33.44 PM

  • GPS coordinates:

          Screen Shot 2016-07-06 at 5.34.17 PM

  • Call log and recording:

    Screen Shot 2016-07-06 at 5.34.42 PM

  • Phone front and back camera capture:

Screen Shot 2016-07-06 at 5.35.07 PM

 

  • Screen capture:

 Screen Shot 2016-07-06 at 5.50.33 PM

  • Browser history

Screen Shot 2016-07-06 at 5.35.35 PM

Moreover, the app is capable of changing system settings shown below:

  • BROWSER_HISTORY_ENABLED
  • CAPTURE_PHOTO
  • CAPTURE_PHOTO_FORMAT
  • FILES_ONLY_WIFI
  • FILTER_LIST
  • FILTER_TYPE
  • FILTER_USE
  • FRONT_CAMERA_ENABLED
  • GPS_HIDDEN
  • GPS_ONLY_NEW
  • NOTIFY_CALL
  • NOTIFY_NUMBER
  • NOTIFY_SIM_CHANGE
  • NOTIFY_SMS
  • ONLY_WIFI
  • RECORD_CALLS
  • RECORD_FORMAT
  • RECORD_SOURCE

 

The app creates a SQL database to store the collected information, the database contains the following tables:

RC_SMS:

  • _id INTEGER PRIMARY KEY
  • number TEXT
  • name TEXT
  • date INTEGER
  • type INTEGER
  • text TEXT
  • sms_sent INTEGER
  • lat REAL
  • lon REAL
  • sent INTEGER

 

RC_CALL:

  • _id INTEGER PRIMARY KEY
  • number TEXT
  • name TEXT
  • date INTEGER
  • type INTEGER
  • duration INTEGER
  • sms_sent INTEGER
  • lat REAL
  • lon REAL
  • sent INTEGER

RC_GPS:

  • _id INTEGER PRIMARY KEY
  • acc REAL
  • alt REAL
  • lat REAL
  • lon REAL
  • date INTEGER
  • battery INTEGER
  • provider TEXT
  • sent INTEGER

RC_BROWSER:

  • _id INTEGER PRIMARY KEY
  • date INTEGER
  • url TEXT
  • title TEXT
  • lat REAL
  • lon REAL
  • sent INTEGER

 

The malware is capable of communicating with the remote server to send stolen information by email or text message and can change system settings allows the attacker almost full control of the device.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s