Library
My library

+ Add to library

Profile

Android.Spy.332.origin

Added to the Dr.Web virus database: 2016-11-22

Virus description added:

SHA1

  • cc832d04b6b7fd5f3fcf7265fc2f091a426a3351 – com.adups.fota package
  • 2f01be010f04cd7f7744932b1d30cfbfe000ad09 – com.adups.fota.sysoper package

Android.Spy.332.origin is an application that updates firmwares of Android devices over the air (OTA)—thus, it has extended system privileges and functions. This application can covertly download, install, and remove software programs, execute shell commands, transmit information about memory space on internal and external storages of mobile devices as well as a list of installed applications. Initially, the program was not designed for malicious activity; however, one of its latest versions which was preinstalled on some smartphones (for example, BLU R1 HD), started performing Trojan functions, which were implemented in the associated program packages com.adups.fota (main package) and com.adups.fota.sysoper (auxiliary package).

Every 72 hours, Android.Spy.332.origin sends the following data to the command and control server:

  • getSmsInPhone – information on existing SMS messages;
  • getCallLogList – information on made phone calls;
  • getMessageData – content of SMS messages;
  • getCellIDInfo (getBaseStationId/getCid) – information on the current mobile operator station;
  • mapNetworkTypeToType ("UNKNOWN";"GPRS";"EDGE"; "UMTS";"CDMA"; "EVDO_0"; "EVDO_A";"1xRTT"; "HSDPA";"HSUPA";"HSPA";"IDEN"; "EVDO_B"; "LTE"; "EHRPD";"HSPAP";"WIFI") – information on a mobile network type;
  • getRomMemroy – information on internal memory space;
  • getRamUsedDetail – information on RAM amount;
  • getSDCardMemorySize – information on SD card memory space;
  • isRootSystem – information on availability of root privileges;
  • querySysAppInfo – information on the installed system applications;
  • queryDataAppInfo – information on the installed user applications;
  • getRunningProcess – information on the running processes;
  • getDfBrowser – information on a current default browser;
  • getDfLauncher – information on the current default graphical shell;
  • hasShortCut – information on all existing shortcuts on the home screen.

To collect data on SMS messages and phone calls, the main module of Android.Spy.332.origin requests to the auxiliary one, in which the content provider is activated under the name com.ad.dinfo. The auxiliary module helps obtain access to content://com.ad.dinfo/msg. The main module eventually gets access to all SMS messages (content://sms). Using the same technique, the Trojan also gets access to the phone call history.

All information collected by the Trojan is saved to SQLite-like databases which are then transformed into JSON, saved in one directory, and are sent to the remote server as a zip archive. All transferred data is encrypted with a Base64 key first and then with a DES key.

The Trojan sends data in the following format:

  • DcMobileStatus.json – {cell, apn, romused, ramused, builtinsdused, scused, root, dctime} – general information about a mobile device;
  • DcApp.json – {systemapps, dataapps, appused, dflauncher, dfbrowser, desktopshortcut, dctime} – information about the installed applications;
  • DcTellMessage.json – {tells, messages, dctime} – information about the phone calls and a list of contacts involving into SMS messaging;
  • DcAppOp.json – {packagename, op, optime} – information about the history of installing and removing of applications;
  • dc_app_flow.json – {appname, pkg_name, flow, dctime} – amount of data sent and received by applications once the system is booted;
  • dc_msg_key.json – {tell, md5, msg_type, dc_type, keyword, msg_date, dc_date} – information about SMS messages including their content;
  • DcRootInfo.json – {bin, xbin} – information about all files located in the system catalogs system/bin and system/xbin.

Curing recommendations


Android

  1. If the mobile device is operating normally, download and install Dr.Web for Android Light. Run a full system scan and follow recommendations to neutralize the detected threats.
  2. If the mobile device has been locked by Android.Locker ransomware (the message on the screen tells you that you have broken some law or demands a set ransom amount; or you will see some other announcement that prevents you from using the handheld normally), do the following:
    • Load your smartphone or tablet in the safe mode (depending on the operating system version and specifications of the particular mobile device involved, this procedure can be performed in various ways; seek clarification from the user guide that was shipped with the device, or contact its manufacturer);
    • Once you have activated safe mode, install the Dr.Web для Android Light onto the infected handheld and run a full scan of the system; follow the steps recommended for neutralizing the threats that have been detected;
    • Switch off your device and turn it on as normal.

Find out more about Dr.Web for Android