New malware was detected over this week by Kaspersky. at first glance the threat seems to be a common malicious file but after investigation and analyses this Trojan goes beyond what was expected. The malware exploit several vulnerabilities on Android system to allow attacker have a full root access to the device and execute commands remotely.
Malware can be distributed over spam messages. Once it is executed it begins to penetrate into the system by seeking the root account and Internet access. When connected, the Trojan downloads the facebook.com page and extracts files that serves as a decryption key to finally take action and distort the behavior of the device.
First step upon execution mode is to send all the information required by the cybercriminal (MAC address, operator, phone number, IMEI and local time). Next it will be possible to do the following:
- Send text message from victim device. Parameters contain number and text. Replies are deleted.
- Receive account balance via USSD.
- Act as proxy (send specified data to specified address, and communicate the response).
- Connect to specified address (clicker).
- Download a file from the server and install it.
- Send a list of applications installed on the smartphone to the server.
- Send information about an installed application specified by the C&C server.
- Send the user’s contact data to the server.
- Remote Shell. Executes commands in the console, as specified by the cybercriminal.
- Send a file to all detected Bluetooth devices.
According to researchers the new Trojan is amounted to only 0.15% of total number of infection on smartphone. but the technique used is very similar to windows malwares and they call it as the most sophisticated Android Trojan up to now.