Pour les utilisateurs

Fermer

Bibliothèque
Ma bibliothèque

+ Ajouter à la bibliothèque

Recherche
Recherche

Contacter-nous !
Support 24/24 | Rules regarding submitting

Envoyer un message

Requête à l'aide du formulaire

Nous téléphoner

0 825 300 230

Forum

Vos requêtes

  • Toutes : -
  • Non clôturées : -
  • Dernière : le -
Créer une nouvelle requête

Nous téléphoner

0 825 300 230

Profil

FR

RU CN DE EN ES FR IT JP KZ UZ PL BY
Fermer
Services support
Scanners
Dr.Web vxCube
Démo
Bibliothèque virale
Base documentaire

TECHNOLOGIES

TERMINOLOGIE

COURS ET EDU

MYTHES

Actualités

Android.Titan.1

Added to the Dr.Web virus database: 2015-03-17

Virus description added:

A Trojan infecting Android mobile devices. It is intended to send SMS messages and make phone calls covertly, as well as to collect all sorts of confidential information. Unlike most Android Trojans, this malware concentrates all its malicious features in a special Unix library while the Android.Titan.1 dex file is used as an auxiliary component. Once Android.Titan.1 is installed on the target device, it creates a shortcut on the home screen and waits for the user to launch it.

screen

After it is launched by the owner of the infected Android device, the Trojan removes its previously created icon. It also removes the last SMS dialogue stored in the device memory and starts the com/Titanium/Synchronous/praesunt malicious service. Later launches of Android.Titan.1 are performed automatically at each startup.

Being successfully executed, com/Titanium/Synchronous/praesunt starts the com/Titanium/Synchronous/adipiscing service that, in turn, can perform the following features:

  • «MAINSTART»
  • «MSGUPLOAD»
  • «SCRUPLOAD»
  • «VOCUPLOAD»

The “MAINSTART” feature

Provides the cyclical start of com/Titanium/Synchronous/praesunt, thus maintaining a permanent Trojan's activity. In addition, this feature checks which application is a default SMS Manager, and if it is not Android.Titan.1, it tries to assign it as a default manager using the android.provider.Telephony.ACTION_CHANGE_DEFAULT standard system function.

Is also sends the following information about the compromised mobile device to the command and control server:

  • OS version
  • User's mobile number
  • Data on network connection
  • MAC address
  • IMEI
  • IMSI

In return, the server can send commands to:

  • Start the com/Titanium/Synchronous/desine service that searches and killes all processes related to the com.kakao.talk application
  • Start the com/Titanium/Synchronous/factum service that spoofs phone numbers in the phone book
  • Change the device's mode dial (silent, vibro call or ordinary) and set the dial volume level
  • Start the com/Titanium/Synchronous/factum service that sends SMS messages to a specified number
  • Start the com/Titanium/Synchronous/factum service that calls to a specified number (during the call, the screen of the device stays inactive similarly to standby mode)
  • Send the information (names and corresponding phone numbers), that is stored in the contact list, to the server
  • Start the com/Titanium/Magister/posursum service that demonstrates a specified text and accompanying images in the notification bar

The “MSGUPLOAD” feature

Collects information about all inbound SMS messages (sender, date and time of sending) and downloads the received information to the command and control server. If it is impossible to establish connection with the server, the information is stored in a local database and is sent later.

The “SCRUPLOAD” feature

Monitors the status of the device's screen (active or standby mode) and sends this data to the server.

The “VOCUPLOAD” feature

Collects information about the user's calls and send this data to the server.

The com.Titanium.Accipite.pipeline service

Starts in the fillowing cases:

  • When the SMS is received. In this case, the service checks inbound messages and hides some parts of them (according to Trojan's settings) from the user. The information about all inbound SMS messages is sent to the command and control server using the "MSGUPLOAD" feature.
  • When the operating system is loaded. In this case, the service activates the Trojan's main service using the "MAINSTART" feature.
  • The Trojan monitors every minute the device's status and checks whether the user calls. If so, the call is recorded into the amr file and placed in the Android.Titan.1 working directory. After this, using the com/Titanium/Synchronous/adipiscing service with the "VOCUPLOAD" parameter, it is sent to the server. In the same manner, the screen's status is monitored and the received information is sent to the server using the "SCRUPLOAD" feature.

The Trojan is able to block certain calls and automatically take calls. In addition, the related information about the phone conversations is removed from the system logs.

Recommandations pour le traitement

Android

  1. Si votre appareil mobile fonctionne correctement, veuillez télécharger et installer sur votre appareil mobile le produit antivirus gratuit Dr.Web для Android Light. Lancez un scan complet et suivez les recommandations sur la neutralisation des menaces détectées.
  2. Si l'appareil mobile est bloqué par le Trojan de la famille Android.Locker (un message sur une violation grave de la loi ou une demande de rançon s’affichent sur l'écran de l'appareil mobile), procédez comme suit :
    • démarrez votre Smartphone ou votre tablette en mode sans échec (si vous ne savez pas comment faire, consultez la documentation de l'appareil mobile ou contactez le fabricant) ;
    • puis téléchargez et installez sur votre appareil contaminé le produit antivirus gratuit Dr.Web для Android Light et lancez un scan complet puis suivez les recommandations sur la neutralisation des menaces détectées ;
    • Débranchez votre appareil et rebranchez-le.

En savoir plus sur Dr.Web pour Android

Free trial

14 days

Download now
Get it on Google Play