Smartphones(with the help of apps) nowadays are very very handy and very convenient. You can basically use them for just about anything! You can use it as a remote control for your smart tv, a calculator or unit converter(inch to centimeter, liter to gallons, that sort of thing), a sketchpad, a timer, a pedometer, a flashlight, etc.
Speaking of flashlights and apps, there is this supposed flashlight app, with the name Android.Toorch.1.origin, that seems to be not so handy. (Handy for malware devs, i guess.)
What does Android.Toorch.1.origin do?
Android.Toorch.1.origin is actually a malware that disguises itself as a Torch app. This malware can be downloaded with the help of adware and it may also be found on popular websites with downloadable software.
 |
| Android.Toorch.1.origin's sample image |
When the app is installed and executed, the malware will send the command and control information from the infected device such as:
- current time
- current location
- IMEI
- the device's unique ID generated by the Trojan
- trojan's verion
- root access availability
- availability of an active Wi-Fi connection
- OS version
- current system language
- device model and manufacturer
- trojan's package name
- network connection type
While gathering information from the infected device, the Trojan also attempts to obtain root privileges by using a modified package named, 'com.apkol.root'.
If the Trojan achieves root privileges, the Trojan extracts a file(libandroid.jar) from its program package then embeds it into the system directory /system/app as an app under the name 'NetworkProvider.apk'. The Trojan then launches the system service that corresponds to the application. Android.Toorch.1.origin extracts the libimpl.jar file(aka Android.Toorch.2.origin) from the program package and then loads it into the RAM by using DexClassLoader class. The file contains the Trojan's main malicious functionality which is downloading, installing and removing applications on command by the malware dev.
If the Trojan achieves root privileges, the Trojan extracts a file(libandroid.jar) from its program package then embeds it into the system directory /system/app as an app under the name 'NetworkProvider.apk'. The Trojan then launches the system service that corresponds to the application. Android.Toorch.1.origin extracts the libimpl.jar file(aka Android.Toorch.2.origin) from the program package and then loads it into the RAM by using DexClassLoader class. The file contains the Trojan's main malicious functionality which is downloading, installing and removing applications on command by the malware dev.
NetworkProvider.apk can be modified to contain an additional program component(ELF file) in the program package. This file will be placed at the infected device's system directory /system/app named as GDataAdapter and is launched. This ensures Android.Toorch.1.origin that the user can not interrupt its process. If ever the Trojan's process is terminated, GDataAdapter will launch it again.
Furthermore, various Trojan modifications can embed the GoogleSettings.apk component into the infected device's system directory. GoogleSettings.apk has the same function as NetworkProvider.apk. This program contains Adware.Avazu.1.origin, an adware that subsequently gets embedded into the infected device's system.
Simply put, Android.Toorch.1.origin contains an adware named Adware.Avazu.1.origin.
Article Ref: http://vms.drweb.com/virus/?i=4363027&lng=en
No comments:
Post a Comment