Android Threats Getting Steamy
As seen in recent blog postings, Android malware is on the rise. Android.Pjapps is another example of a Trojan with back door capabilities that targets Android devices. As seen with previous Android threats, it is spreading through compromised versions of legitimate applications, available on unregulated third-party Android marketplaces.
We have detected a few applications carrying Android.Pjapps code. One of these applications is Steamy Window. Similar to other compromised Android applications, it is difficult to differentiate the legitimate version from the malicious one once it is installed. However, during installation it is possible to identify the malicious version by the excessive permissions it requests. The images below show the installation process of a clean Steam Window application and a malicious one.
When run, both the legitimate and malicious version of the application mimic a steam effect on your Android device’s screen. It even lets you wipe it off with your finger as seen in the image below:
However, the malicious version has added additional functionality. The screenshot below shows how the original application’s manifest has been changed:
The aim of Android.Pjapps is to build a botnet controlled by a number of different Command and Control (C&C) servers. Among other things, it is able to install applications, navigate to websites, add bookmarks to your browser, send text messages, and optionally block text message responses.
The threat registers its own service to operate in the background without the user noticing. The service will be started whenever the signal strength of the infected mobile changes and it tries to connect to the following C&C server to register the infection:
Along with this request, it sends sensitive information obtained from the device, including:
It then awaits for a response, and if commanded it will send a message with the infected device’s IMEI number to a mobile number obtained from the following URL:
This mobile number is meant to be controlled by the attacker. By using this technique the attacker hides his identity within the “cloud”.
The malicious service also periodically checks the C&C server using the URL below to pull down commands:Read More...
- Android.Pjapps Trojan
- Android.Pjapps - Google Search
- Android Threats Getting Steamy | Symantec Connect
- Android.Pjapps Trojan Emerges As Latest Google Android Security Threat
- Android.Pjapps | Symantec
- Infected Android app runs up big texting bills - Computerworld