Cyber criminals are attacking again. This time the targets users of Android. Should beware to have those who will receive an SMS with the delayed e-mail, redirect to the site of one of the popular file-sharing services. There, lying in wait for them at risk – Android.Titan.1 virus which, when installed takes over the phone. Sending text messages, make calls and swapping phone numbers in the phone book are some of his skills.
As reported by Dr. Web, a new Trojan for Android is fundamentally designed to attack South Korean mobile devices. Its distribution occurs through an SMS message containing information about the undelivered e-mail and a link to obtain information about this “problem”. The user who follow the instructions cybercriminals will be redirected to the page one of the popular file-sharing services, where he will receive the apk file a malicious application. The latter will automatically load on the mobile device. However zainnfekować operating system needs unwary Trojan conducting its installation.Android.Titan.1 After successful installation creates a shortcut on the home screen of the mobile device and is expected to start by the user. After the first successful launch malicious application removes the previously created icon and continues to run in the background. At the same time removes the last conversation Trojan’s SMS stored in memory. In most cases, this conversation is a message type SMS SPAM, which ensured the Trojan access to the target device. From that moment Android.Titan.1 has been running without any user intervention, and runs by itself at boot time.
Android.Titan.1 is based on several malicious system services run by the Trojan during an operation. For example, one of these services is to check whether the default Android.Titan.1 SMS Manager, and if it is not, it tries to change the system settings.
The Trojan then waits for a connection to the Internet, connects to the server control and management, and loads on the details of the affected mobile device, including device model, operating system version, the network connection, MAC address, IMEI, IMSI, and as well as the victim’s mobile phone number.
In response to malware can be obtained from server, one of the commands used to:
- Start-up services for the search and removing all the processes associated with the application com.kakao.talk
- Start-swapping service phone numbers in the phone book
- Change ringing device mode (silent, vibration, general), and set the ringer volume
- Start-up service sending SMS messages with the parameters specified in the command
- Start-ring service to certain numbers (when connected to the device’s screen remains inactive, the same as in standby mode)
- Sending the server information (names and corresponding numbers) stored in your contacts list
- Startup service that displays in the notification bar system specific text and accompanying images
With the ability to hide the phone calls and periodic monitoring of the activity of the infected device screen, Android.Titan.1 allows cybercriminals to commissioning Trojan communications, compiled when infected the unit for a long time is in standby mode. From that moment, just after the start of a telephone call, the screen is locked back, so you do not have a chance to gain suspicion and realize that cybercriminals just carry unwanted phone call.
Android.Titan.1 is able to monitor all incoming SMS and hide from the user the ones that meet the criteria of the virus creators. In addition, control and management server receives detailed information about all incoming SMS messages, including information about the sender, the date and time of message and its contents. It is also possible to send a message – a malicious program places the captured data in a special database, stored locally on the device and waits for a connection to the Internet to load the messages queued on the server.
In addition Android.Titan.1 has implemented another formidable functionality. Every minute Trojan checks if the user does not perform a phone call. If so, then the call is saved to a file amr (audio file), and it is stored in the working directory Trojan. Then this file in conjunction with the detailed information about the connections that are made by the user is loaded on the remote server, and if you are not currently connected to the Internet, it is queued, as in the case intercepted text messages. The Trojan can also block incoming or outgoing calls to certain numbers, answering calls and delete them from the system log.
The main feature of this Trojan is that the basic functions are implemented in a separate library Unix (detected as Android .Titan.2), while the majority of known malware for Android typically includes these features in a standard executable dex. For this reason, Android.Titan.1 dex file is used only as an auxiliary component containing a minimum of functions required to operate a Trojan. This technique of creating malware for Android is very rare, and for this reason, many anti-virus programs can not detect this malicious application.
Doctor Web security analysts believe that Android.Titan.1 is still able to development, because it contains a lot of mistakes, and some of its functionality is still unimplemented. For this reason, we can not exclude the possibility in the future much more functional version of this dangerous, malicious applications.
Doctor Web security analysts informed service technical support service file sharing service which may be the Trojan file and at the moment from which the page is not available it was collected. However, nothing prevents cybercriminals are hosting a Trojan on another similar server. Dr.Web for Android and Dr.Web for Android Light to successfully detect and remove Android.Titan.1, so users of Dr.Web for mobile devices are covered by the safe protection against this threat.
No comments:
Post a Comment