Bibliothèque
Ma bibliothèque

+ Ajouter à la bibliothèque

Contacter-nous !
Support 24/24 | Rules regarding submitting

Nous téléphoner

0 825 300 230

Forum

Vos requêtes

  • Toutes : -
  • Non clôturées : -
  • Dernière : le -

Nous téléphoner

0 825 300 230

Profil

Android.Spy.332.origin

Added to the Dr.Web virus database: 2016-11-22

Virus description added:

SHA1

  • cc832d04b6b7fd5f3fcf7265fc2f091a426a3351 – com.adups.fota package
  • 2f01be010f04cd7f7744932b1d30cfbfe000ad09 – com.adups.fota.sysoper package

Android.Spy.332.origin is an application that updates firmwares of Android devices over the air (OTA)—thus, it has extended system privileges and functions. This application can covertly download, install, and remove software programs, execute shell commands, transmit information about memory space on internal and external storages of mobile devices as well as a list of installed applications. Initially, the program was not designed for malicious activity; however, one of its latest versions which was preinstalled on some smartphones (for example, BLU R1 HD), started performing Trojan functions, which were implemented in the associated program packages com.adups.fota (main package) and com.adups.fota.sysoper (auxiliary package).

Every 72 hours, Android.Spy.332.origin sends the following data to the command and control server:

  • getSmsInPhone – information on existing SMS messages;
  • getCallLogList – information on made phone calls;
  • getMessageData – content of SMS messages;
  • getCellIDInfo (getBaseStationId/getCid) – information on the current mobile operator station;
  • mapNetworkTypeToType ("UNKNOWN";"GPRS";"EDGE"; "UMTS";"CDMA"; "EVDO_0"; "EVDO_A";"1xRTT"; "HSDPA";"HSUPA";"HSPA";"IDEN"; "EVDO_B"; "LTE"; "EHRPD";"HSPAP";"WIFI") – information on a mobile network type;
  • getRomMemroy – information on internal memory space;
  • getRamUsedDetail – information on RAM amount;
  • getSDCardMemorySize – information on SD card memory space;
  • isRootSystem – information on availability of root privileges;
  • querySysAppInfo – information on the installed system applications;
  • queryDataAppInfo – information on the installed user applications;
  • getRunningProcess – information on the running processes;
  • getDfBrowser – information on a current default browser;
  • getDfLauncher – information on the current default graphical shell;
  • hasShortCut – information on all existing shortcuts on the home screen.

To collect data on SMS messages and phone calls, the main module of Android.Spy.332.origin requests to the auxiliary one, in which the content provider is activated under the name com.ad.dinfo. The auxiliary module helps obtain access to content://com.ad.dinfo/msg. The main module eventually gets access to all SMS messages (content://sms). Using the same technique, the Trojan also gets access to the phone call history.

All information collected by the Trojan is saved to SQLite-like databases which are then transformed into JSON, saved in one directory, and are sent to the remote server as a zip archive. All transferred data is encrypted with a Base64 key first and then with a DES key.

The Trojan sends data in the following format:

  • DcMobileStatus.json – {cell, apn, romused, ramused, builtinsdused, scused, root, dctime} – general information about a mobile device;
  • DcApp.json – {systemapps, dataapps, appused, dflauncher, dfbrowser, desktopshortcut, dctime} – information about the installed applications;
  • DcTellMessage.json – {tells, messages, dctime} – information about the phone calls and a list of contacts involving into SMS messaging;
  • DcAppOp.json – {packagename, op, optime} – information about the history of installing and removing of applications;
  • dc_app_flow.json – {appname, pkg_name, flow, dctime} – amount of data sent and received by applications once the system is booted;
  • dc_msg_key.json – {tell, md5, msg_type, dc_type, keyword, msg_date, dc_date} – information about SMS messages including their content;
  • DcRootInfo.json – {bin, xbin} – information about all files located in the system catalogs system/bin and system/xbin.

Recommandations pour le traitement


Android

  1. Si votre appareil mobile fonctionne correctement, veuillez télécharger et installer sur votre appareil mobile le produit antivirus gratuit Dr.Web для Android Light. Lancez un scan complet et suivez les recommandations sur la neutralisation des menaces détectées.
  2. Si l'appareil mobile est bloqué par le Trojan de la famille Android.Locker (un message sur une violation grave de la loi ou une demande de rançon s’affichent sur l'écran de l'appareil mobile), procédez comme suit :
    • démarrez votre Smartphone ou votre tablette en mode sans échec (si vous ne savez pas comment faire, consultez la documentation de l'appareil mobile ou contactez le fabricant) ;
    • puis téléchargez et installez sur votre appareil contaminé le produit antivirus gratuit Dr.Web для Android Light et lancez un scan complet puis suivez les recommandations sur la neutralisation des menaces détectées ;
    • Débranchez votre appareil et rebranchez-le.

En savoir plus sur Dr.Web pour Android