Tuesday, April 21, 2015

Android Trojan Spy goes 2 years undetected



This “special” piece of Android Trojan Spy was developed more than 2 years ago and until now was fully undetected. First upload of this Trojan on Virus Total servers was on April 9Th, 2013. Probably, it will not run properly these days because it’s targeted to run on SDK 15 (Android 4.0.3). Spy is without launching icon and starts it’s malicious activity after receiving broadcast intent. Afterwards, gathered personal data are sent to attacker. Server where collected information is sent is active and probably still stores received data.


Installed malicious Proxy application
Pic 1 Trojan Spy – Proxy


Analysis 


Malicious functionality can be triggered by receiving user present broadcast (unlock device), changing connectivity or by receiving text message. After that information gathering begins. Malware will steal user personal data like messages, call log history, location, received SMS, Wi-Fi (including SSID) and mobile data enabled/disabled status, IMEI number even your account user names. These data are stored to text file with malware information logs (time, current action, exceptions, server response code…) on primary external storage directory. Gathered information is then sent to remote server each 30 minutes. 
If Wi-Fi is turned off and mobile data are disabled, malware will wait until your screen is turned off, enables mobile data then send collected information to server, delete file with stored info and disables mobile data back. So everything is happening without user knowledge and unnoticed. User personal data are sent unencrypted in plaintext over HTTP protocol. 
Server is still alive and based on response it is storing received data do database.


Proxy Trojan communicaton with server
Pic 2 Trojan communication


For obtaining device location it uses Google Gear API that is no longer available. Accessing location is not possible for it these days. It has implemented functionality for sending log output and as you can see (Pic 3), Trojan will throw an exception when accessing location.


Console output for Proxy Trojan
Pic 3 LogCat output


If user has turned on app verification from Google against potentially harmful applications installed from “Unknown sources”, Google will display window recommending users not to install this application.


Google detects app as harmful
Pic 4 Google app verification


Detection rate by Antivirus engines from VirusTotal and AndroTotal.


Trojan Proxy is not detected
Pic 5 VirusTotal detection

Trojan Proxy is not detected by AndroTotal
Pic 6 Mobile detection from AndroTotal

Hashes

 
File type
MD5
APK
D05D3F579295CD5018318072ADF3B83D
DEX
1F27E5B980D71B4C40C9FE6ACCEDE5B2


16 comments:

  1. Replies
    1. You can uninstall it by going to: Settings -> Applications -> Proxy

      Delete
  2. What abt app named "proxyhandler"?

    ReplyDelete
    Replies
    1. Proxyhandler should not be the case, you can send it to me I will take a look if you think it is malicious.

      Delete
  3. I created a ruleset in Koodous for detect more samples related to this malware:
    https://koodous.com/rulesets/688

    import "androguard"

    rule proxy_spy : trojan
    {
    meta:
    description = "This rule detects http://b0n1.blogspot.com.es/2015/04/android-trojan-spy-goes-2-years.html"
    sample = "00341bf1c048956223db2bc080bcf0e9fdf2b764780f85bca77d852010d0ec04"

    condition:
    androguard.permission(/android.permission.SEND_SMS/) and
    androguard.activity(/\.*proxy\.MainActivity/i) and
    androguard.url(/proxylog\.dyndns\.org/)
    }

    ReplyDelete
  4. I found an app called 'Muzoly - Music' installed on my phone this morning. I'd never heard of it before and yet it was installed on the phone during the night. I can't find any other instances of this happening to anyone else. Has my phone been compromised?

    ReplyDelete
    Replies
    1. I should note it IS in the google playstore..

      Delete
    2. I cant find any 'Muzoly - Music' on Google Play Store. Can you send me link to it or actual application from your device so I can take a closer look? Probably nothing you should worry about..

      Delete
    3. Here it is:
      https://play.google.com/store/apps/details?id=com.muzoly.vk&hl=en

      Kind of freaked out it would install itself though..

      Delete
    4. This application is not malicious, maybe you should worry which app installed this application. I advise you to scan your device for malicious apps.

      Delete
    5. yes that's true. I installed VirusTotal, any other suggestions? Thanks for your help

      Delete
    6. I would rather install some Antivirus solution not VirusTotal itself. VirusTotal cant determine new malicious apps only the ones that are already uploaded there. E.g. https://play.google.com/store/apps/details?id=com.eset.ems2.gp

      Delete
  5. Ah, ok, I'll check that out. Thanks!

    ReplyDelete
  6. Is this all thing I am looking for if someone is spying on my Android phone

    ReplyDelete
  7. I have got apps called'content visual' inside mobile application manager but not found in homscreen icon.Will it be a Trojan/malware/spyware

    ReplyDelete