Tuesday, April 21, 2015

Android Trojan Spy goes 2 years undetected

This “special” piece of Android Trojan Spy was developed more than 2 years ago and until now was fully undetected. First upload of this Trojan on Virus Total servers was on April 9Th, 2013. Probably, it will not run properly these days because it’s targeted to run on SDK 15 (Android 4.0.3). Spy is without launching icon and starts it’s malicious activity after receiving broadcast intent. Afterwards, gathered personal data are sent to attacker. Server where collected information is sent is active and probably still stores received data.

Installed malicious Proxy application
Pic 1 Trojan Spy – Proxy


Malicious functionality can be triggered by receiving user present broadcast (unlock device), changing connectivity or by receiving text message. After that information gathering begins. Malware will steal user personal data like messages, call log history, location, received SMS, Wi-Fi (including SSID) and mobile data enabled/disabled status, IMEI number even your account user names. These data are stored to text file with malware information logs (time, current action, exceptions, server response code…) on primary external storage directory. Gathered information is then sent to remote server each 30 minutes. 
If Wi-Fi is turned off and mobile data are disabled, malware will wait until your screen is turned off, enables mobile data then send collected information to server, delete file with stored info and disables mobile data back. So everything is happening without user knowledge and unnoticed. User personal data are sent unencrypted in plaintext over HTTP protocol. 
Server is still alive and based on response it is storing received data do database.

Proxy Trojan communicaton with server
Pic 2 Trojan communication

For obtaining device location it uses Google Gear API that is no longer available. Accessing location is not possible for it these days. It has implemented functionality for sending log output and as you can see (Pic 3), Trojan will throw an exception when accessing location.

Console output for Proxy Trojan
Pic 3 LogCat output

If user has turned on app verification from Google against potentially harmful applications installed from “Unknown sources”, Google will display window recommending users not to install this application.

Google detects app as harmful
Pic 4 Google app verification

Detection rate by Antivirus engines from VirusTotal and AndroTotal.

Trojan Proxy is not detected
Pic 5 VirusTotal detection

Trojan Proxy is not detected by AndroTotal
Pic 6 Mobile detection from AndroTotal


File type