Customizable Trojan hides itself and silently collects confidential information

This malicious app was detected by Trustlook as “Android.Trojan.Hideicon”, with a severity rating of 8/10 (High Risk). It disguises itself as a WiFi utility program and steals user’s information. The app targets smartphone users in Brazil, and because of this, the Trojan uses text written in the Portuguese language.

The research Trojan package can be identified as having the following characteristics:

  • MD5: 37B9D06D45246FFCAB932A24D129DACE
  • SHA256: 8F88208D6654A1B25CE9689A9569E2EE16501B25101EF316F50A6B50CED849C0
  • Size: 872359 bytes
  • App name: WiFI
  • Package name: com.wifi.wifi

The package icon is:

Screen Shot 2016-08-09 at 11.02.46 AM

 

Upon execution, the app persuades the user to grant device administrator access in order to maintain the persistence on the system:

Screen Shot 2016-08-09 at 11.04.23 AM

Screen Shot 2016-08-09 at 11.11.23 AM

If the device is rooted, the app keeps requesting root privilege:

Screen Shot 2016-08-09 at 11.13.12 AM

The app contacts “menspy.com” and sends the information via HTTPS:

Screen Shot 2016-08-09 at 11.13.28 AM

The unencrypted network traffic is shown below:

Screen Shot 2016-08-09 at 11.13.46 AM

The following code snippets demonstrate how the malware constructs and sends the above request:

Screen Shot 2016-08-09 at 10.53.33 AM

The website “meuspy.com” is behind the app. From the “How it works” section, the site claims:

“The system works as a spyware, it captures the phone information and sends it to the Web server, all data is stored on our server and can only be seen by you through a username and password, text messages are encrypted within the server, so if a hacker invades the server it will not be able to read the messages.”

The highlight feature of the service provided by the website is that the app can be customized and disguised as any other name to avoid users being able to find and uninstall it. If the device is rooted, it is even more difficult for users to get rid of it.

The malware can collect the following information from the device:

  • SMS
  • Contacts
  • Calling history
  • GPS location
  • Whatsapp messages
  • Photos and videos

In addition, the malware can perform the following actions:

  • Take picture
  • Record video
  • Record audio
  • Take screenshot
  • Update
  • Uninstall

The following code snippets are used to steal Whatsapp messages:

Screen Shot 2016-08-09 at 10.56.12 AM

The following code snippets are used to download the APK and upgrade itself:

Screen Shot 2016-08-09 at 10.56.32 AM

Summary
The Android.Trojan.Hideicon malware steals information silently and performs malicious actions without user’s consent. Moreover, it allows the attacker to customize the app in order to avoid the detection.

 

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s