Network capture - Call log harvesting and sending to C&C server It watches all the incoming, outgoing and missed calls.Ĭode routine - Call log harvesting and sending to C&C server In the following image, you can see the malware harvesting call logs and sending it to C&C server. Once registration is completed, the malware monitors SMS and call operations done on the infected device. Network capture - Infected device registration to C&C. Observe following code and network capture showing the registration of infected device.Ĭode routine - Infected device registration to C&C. Once installed, the malware registers the device with the C&C server. We saw hard coded checks for antivirus applications like Kaspersky, ESET, Avast and Dr. This malware payload is capable of checking for installed security applications and terminating them. Following is the code routine and a screenshot showing this malware getting installed as an app, having administrative access. Once the user installs the APK, it prompts for the administrative access. The file that gets downloaded from these URLs is called “Update_chrome.apk”. and are regularly replaced with newer ones to serve the malware and effectively evade URL based filtering. These URLs are observed to be very short lived.
You can observe that the malware author is using domain squatting to mix up the host name similar to Google updates. This malware is also capable of checking the installed antivirus applications and terminating them to evade detection.įollowing is a sample of URLs we have seen where the malware is being downloaded. This malware is capable of harvesting call logs, SMS data, browser history and banking information and is sending it to a remote command and control (C&C) server. Our research team has recently seen a large amount of activity in our cloud related to an Android infostealer disguised as a Google Chrome update.
0 kommentar(er)
