So far, Android.BackDoor has 17 variants namely: (P.S. I'm not saying that these are the only Android.BackDoor trojans)
- Android.BackDoor.20
- Android.BackDoor.39
- Android.BackDoor.40
- Android.BackDoor.41
- Android.BackDoor.42
- Android.BackDoor.43
- Android.BackDoor.44
- Android.BackDoor.45
- Android.BackDoor.46
- Android.BackDoor.96
- Android.BackDoor.114
- Android.BackDoor.159
- Android.BackDoor.176
- Android.BackDoor.196
- Android.BackDoor.213
- Android.BackDoor.260
- Android.BackDoor.273
How come the Android.BackDoor family has many variants?
It's because, like I've earlier, depending on the malware dev's modification, these malware can perform just about anything the malware dev codes or asks it to do.
Let's first start with the not-so-complex BackDoor variants:
Let's first start with the not-so-complex BackDoor variants:
- Android.BackDoor.159
Android.BackDoor.159 was designed to secretly install and remove apps on an infected device.
At the malware's initial launch, it retrieves the infected device's IMEI, IMSI, SD card information, total and free amount of internal and external memory, and the list of installed applications. All information taken will be sent to a remote server via a POST request. Every 24 hours, the malware will update and re-upload the infected device's information on the remote server.
The remote server will then send a JSON file embedded with malicious controlling commands. This JSON file has the list of applications to be installed and uninstalled from the infected device using the pm unintall console command and pm install -r command.
- Android.BackDoor.96
Android.BackDoor.96.origin is designed as a trojan horse disguised as a certain legitimate mobile anti-virus app.
Android.BackDoor.96.origin may perform actions such as:
• Intercept SMS
• Send MMS
• Acquire contact information
• Steal browser history
• Acquire GPS coordinates
• Turn the infected device's mic on or off
• Acquire call history
• Record phone calls
• Send USSD queries
• Output messages to the infected device's screen
All gathered information from the infected device will be sent to a remote server.
In the next article, I will be tackling a BackDoor variant that can also root an infected device.
Android.BackDoor.96.origin disguised as a fake Kaspersky Antivirus app
Android.BackDoor.96.origin may perform actions such as:
• Intercept SMS
• Send MMS
• Acquire contact information
• Steal browser history
• Acquire GPS coordinates
• Turn the infected device's mic on or off
• Acquire call history
• Record phone calls
• Send USSD queries
• Output messages to the infected device's screen
All gathered information from the infected device will be sent to a remote server.
In the next article, I will be tackling a BackDoor variant that can also root an infected device.
Article Refs: http://vms.drweb.com/search/?q=Android.Backdoor (for Android.BackDoor), http://vms.drweb.com/virus/?_is=2&i=4356092 (for Android.BackDoor.159), and http://vms.drweb.com/virus/?_is=2&i=4113217 (for Android.BackDoor.96)
No comments:
Post a Comment