Bibliothèque
Ma bibliothèque

+ Ajouter à la bibliothèque

Contacter-nous !
Support 24/24 | Rules regarding submitting

Nous téléphoner

0 825 300 230

Forum

Vos requêtes

  • Toutes : -
  • Non clôturées : -
  • Dernière : le -

Nous téléphoner

0 825 300 230

Profil

Android.Cynos.7.origin

Added to the Dr.Web virus database: 2021-03-26

Virus description added:

  • SHA1 hash: cfc35d28dad612e515a5f90a91fc7b33bcf7d7d6

Description

Android.Cynos.7.origin is the detection name for one of the versions of the Cynos software modules. They can be embedded into Android apps to monetize them. This modification’s main functionality is to collect information about users and their mobile devices and display ads.

Operating routine

Upon launching the application containing the Android.Cynos.7.origin module, it asks the user for permission to make and manage phone calls. This permission allows the trojan to gain access to the information about the user’s mobile phone number:

#drweb

Android.Cynos.7.origin randomly selects one of the C&C servers listed below and connects to it:

  • hxxp://dns1[.]sdkbalance[.]com
  • hxxp://dns2[.]sdkbalance[.]com
  • hxxp://dns3[.]sdkbalance[.]com

In response, the module receives a server address to send the collected data to, and from which it can download the parameters required to display ads. If, for some reason, it is unable to receive the required address, the Android.Cynos.7.origin uses the following addresses hardcoded in the app’s code:

  • hxxp://47[.]92.196.227—a server to transfer the collected data and log events to
  • hxxp://39[.]100.129.237—a server to receive configuration required to display ads

The trojan collects and sends the following information to the server:

  • Mobile operator’s MCC and MNC codes
  • Device location based on GPS coordinates or the mobile network and Wi-Fi access point data (when the application has permission to access location)
  • Mobile operator’s MCC and MNC codes
  • GSM cell ID and GSM location area code (when the application has permission to access location)
  • Device ID generated by the trojanized app (some trojan modifications use the device’s IMEI as its ID; some modifications also send the IMSI code, like SHA1: 8cce3b7c41a185919c4e7735176087b2e503741e)
  • Device model
  • The manufacturer
  • An Android SDK version
  • Screen resolution
  • Internet connection type
  • A CPU name
  • App’s apk file md5 hash
  • App’s version
  • companyID—a parameter from the app’s metadata
  • appID—a parameter from the app’s metadata

Before it sends the data, the trojan receives a public RSA key from the server. It uses a randomly generated key to encrypt the data with the AES algorithm. In turn, this key is encrypted with the public RSA key obtained earlier. Then, the encrypted key is sent to the server in the SecurityKey header of the request with the data.

Along with collecting data, this module’s other function is displaying ads inside the app that contains it. It uses different SDKs to display ads, depending on which app catalog is used to spread apps with Android.Cynos.7.origin. For example, if it's the AppGallery catalog, it uses com.Huawei.hms.ads. It uses com.Vivo.mobilead with the VIVO catalog, and com.Xiaomi.ad with the Mi store catalog. With the GameCenter catalog, it uses com.heytap.mobad.

Indicators of compromise

News about the trojan

Recommandations pour le traitement


Android

  1. Si votre appareil mobile fonctionne correctement, veuillez télécharger et installer sur votre appareil mobile le produit antivirus gratuit Dr.Web для Android Light. Lancez un scan complet et suivez les recommandations sur la neutralisation des menaces détectées.
  2. Si l'appareil mobile est bloqué par le Trojan de la famille Android.Locker (un message sur une violation grave de la loi ou une demande de rançon s’affichent sur l'écran de l'appareil mobile), procédez comme suit :
    • démarrez votre Smartphone ou votre tablette en mode sans échec (si vous ne savez pas comment faire, consultez la documentation de l'appareil mobile ou contactez le fabricant) ;
    • puis téléchargez et installez sur votre appareil contaminé le produit antivirus gratuit Dr.Web для Android Light et lancez un scan complet puis suivez les recommandations sur la neutralisation des menaces détectées ;
    • Débranchez votre appareil et rebranchez-le.

En savoir plus sur Dr.Web pour Android