Bibliothèque
Ma bibliothèque

+ Ajouter à la bibliothèque

Contacter-nous !
Support 24/24 | Rules regarding submitting

Nous téléphoner

0 825 300 230

Forum

Vos requêtes

  • Toutes : -
  • Non clôturées : -
  • Dernière : le -

Nous téléphoner

0 825 300 230

Profil

Android.DownLoader.1049.origin

Added to the Dr.Web virus database: 2021-10-22

Virus description added:

SHA1 hash:

  • 7c7b9db22cb09f85371a41a2bce6f730b1fce5d9 (libcore.jar)

Dwscription

A trojan module that malicious actors embed into Android apps. For example, it was found in the firmware updating system app of the Elari Kidphone 4G smart watch. The trojan is used to collect and send a large amount of information about Android devices and their users to the C&C server. It can also download various files upon the C&C server command.

Operating routine

The module represents a libcore.jar file that is encrypted and stored in the application package of the main app. When the device is turned on for the first time, the trojan code (Android.DownLoader.3894) that is embedded into this app decrypts and launches the module. After that, whenever the device is powered on, as well as when the network connectivity is changed, the module is launched automatically.

Upon its launch, the Android.DownLoader.1049.origin connects to the C&C server at hxxps://g[.]sinfoon[.]com:40081/pull with set time intervals. By default, the connection interval is 8 hours but it can be changed with the corresponding server command.

Upon successful connection, the trojan sends a request with the data to the C&C server. The transferred data is packed with GZIP and can include:

  • version—trojan module version
  • session—a 02 constant
  • timestamp—current time
  • utdid—a unique UserTrack Device Identity
  • appid—a RSOTA_APP_ID value from the app’s metadata
  • channel—a RSOTA_CHANNEL_ID value from the app’s metadata
  • man—device manufacturer
  • mod—device model
  • board—device circuit board name
  • imei1—IMEI ID for a GSM device
  • imei2—IMEI ID for a GSM device
  • meid—MEID or ESN ID for a CDMA device
  • osv—an OS version installed on the device
  • carrier1—a unique IMSI ID of the mobile operator subscriber
  • carrier2—a unique IMSI ID of the mobile operator subscriber
  • stubver—a 1.0 constant
  • implver—a 2 constant

In response, the trojan can receive the following commands and parameters:

  • profile—to change general settings:
    • pulse—to change the frequency of requests to connect to the C&C server
    • enable—to disable the trojan module
  • configlist—to change configuration parameters:
    • configtype
    • typeenable
    • captureinterval
    • reportinterval
  • updd—to download the specified file. Possible parameters are:
    • taskid
    • version
    • objecturi
    • objectsize
    • icv

The trojan informs the C&C server about tasks execution results at hxxps://g[.]sinfoon[.]com:40081/result.

Device information transmission

During its operation, the Android.DownLoader.1049.origin sends a large amount of data to the C&C server at hxxps://g[.]sinfoon[.]com:40081/data:

  • version—the trojan module version
  • session—an 02 constant
  • utdid—a unique UserTrack Device Identity
  • appid—a RSOTA_APP_ID value from the app’s metadata
  • channel—a RSOTA_CHANNEL_ID value from the app’s metadata
  • man—device manufacturer
  • mod—device model
  • board—device circuit board name
  • imei1—IMEI ID for a GSM device
  • imei2—IMEI ID for a GSM device
  • meid—MEID or ESN ID for a CDMA device
  • os—an OS installed on the device
  • osv—an OS version installed on the device
  • carrier1—a unique IMSI ID of the mobile operator subscriber
  • carrier2—a unique IMSI ID of the mobile operator subscriber

As well as:

  • appappinfo—the information about installed apps:
    • pkg—app’s package name
    • name—app’s name
    • apver—app’s version
    • instts—app’s installation date
    • usenum—the number of app’s launches
    • usedur—the amount of time the app was used
    • power—used battery charge
    • opents—app’s last launching time
  • dev_id—user IDs:
    • dpid—Google Play Services Android ID
    • mac—a MAC address
    • phoneno—a mobile phone number
    • iccid1—SIM card ID
    • iccid2—SIM card ID
    • imsi1—a unique mobile operator subscriber ID
    • imsi2—a unique mobile operator subscriber ID
  • dev_hw—general device hardware specifications:
    • devtype—device type
    • hwv—hardware name
    • resolution—screen resolution
    • lang—default operating system language
  • dev_behavior—device usage statistics:
    • smsnum—the number of SMS
    • contactsnum—the number of the contacts on the phone book
    • callnum—the number of phone calls
    • traffic—the information about transmitting network traffic:
      • totalrx—the amount of incoming traffic
      • totaltx—the amount of sent traffic
  • dev_loc—geolocation data:
    • gps—the location based on the GPS data
    • cell—the location based on cellular data
  • dev_capa—device hardware usage statistics:
    • romusage—the amount of free internal storage
    • ramusage—the amount of free RAM
    • screenlight—screen brightness level
    • conntype—network connection type
    • batterylevel—battery charge level
    • chargecount—battery charge cycles count
    • dischargecur—battery discharge current
    • fgu—battery parameters (for devices based on the Spreadtrum CPUs)
    • runtime—a total operating time of the device since the last power-on
    • process—processes information:
      • psn—process name
      • bts—process start time
      • ets—process end time
    • cputemper—CPU temperature
    • cpuusage—CPU usage statistics:
      • cpuid—a CPU ID
      • rate—a CPU load
      • freq—a CPU frequency
    • signal—the information about the mobile network:
      • networktype—a network connection type
      • strength—a level of the network signal
    • sensor—the information about device sensors:
      • sensortype—sensor type
      • sensorstatus—if sensor is enabled
    • wcn—if Bluetooth, Wi-Fi or GPS is enabled:
      • wcntype—a transmitter type
      • wcnstatus—the status of the transmitter
    • timestamp—current time
    • boot—time when the device was powered-on

Recommandations pour le traitement


Android

  1. Si votre appareil mobile fonctionne correctement, veuillez télécharger et installer sur votre appareil mobile le produit antivirus gratuit Dr.Web для Android Light. Lancez un scan complet et suivez les recommandations sur la neutralisation des menaces détectées.
  2. Si l'appareil mobile est bloqué par le Trojan de la famille Android.Locker (un message sur une violation grave de la loi ou une demande de rançon s’affichent sur l'écran de l'appareil mobile), procédez comme suit :
    • démarrez votre Smartphone ou votre tablette en mode sans échec (si vous ne savez pas comment faire, consultez la documentation de l'appareil mobile ou contactez le fabricant) ;
    • puis téléchargez et installez sur votre appareil contaminé le produit antivirus gratuit Dr.Web для Android Light et lancez un scan complet puis suivez les recommandations sur la neutralisation des menaces détectées ;
    • Débranchez votre appareil et rebranchez-le.

En savoir plus sur Dr.Web pour Android