Most of the previous Android malware we have seen has either sent text messages or made calls to various premium service numbers in order to make some easy money.
This particular Trojan records conversations in AMR format, as allowed by the permissions the user has approved.
When the program is installed it requests permissions to allow it to perform the following actions:
Access Cell-ID and WiFi location
Access Cell-ID and WiFi updates
Access GPS location
Access information about WiFi networks
Allow low-level access to power management
Allow read only access to phone state
Allow the use of PowerManager WakeLocks to keep the processor from sleeping or the screen from dimming
Initiate a phone call without going through the dialer user interface (so that the user is unaware of any outgoing calls made by the Trojan)
Monitor, modify or abort outgoing calls
Open network sockets
Read SMS messages
Read the user’s contacts data
Record audio
Send SMS messages
Write (but not read) the user’s contacts data
Write SMS messages
Write to external storage
When the Trojan is executed it programs itself to initiate whenever the device starts by waiting for the following command:
android.permission.ACTION_BOOT_COMPLETED
It may then start any of the following services:
GpsService
MainService
RecordService
SocketService
XM_SmsListener
XM_CallListener
XM_CallRecordService
The program then sends an SMS containing the IMEI of the device to the following phone number:
15859268161
It then records the following information:
All phone call content
GPS infomation
Received SMS messages
Sent SMS messages
The above information is written to the SD card in the following location:
/sdcard/shangzhou/callrecord/
The gathered information is then sent to the following location on port 2018:
jin.56mo.com
The best defense against this sort of malware is to pay attention to the permissions that an application is asking for. Ask yourself – does this app really need all these capabilities? If in doubt, say no!
Those who have missed our earlier post, we have released our product for Andriod phones. Quick Heal Mobile Security for Android detects the file as Android.Nickispy.A.
To avail the introductory 50% discount offer please visit our Quick Heal Mobile Security page here.
To download the free trial version for your Android device please visit the Android Market after clicking on the following link:
No Comments, Be The First!