SHA1 hash:
- 7c7b9db22cb09f85371a41a2bce6f730b1fce5d9 (libcore.jar)
Dwscription
A trojan module that malicious actors embed into Android apps. For example, it was found in the firmware updating system app of the Elari Kidphone 4G smart watch. The trojan is used to collect and send a large amount of information about Android devices and their users to the C&C server. It can also download various files upon the C&C server command.
Operating routine
The module represents a libcore.jar file that is encrypted and stored in the application package of the main app. When the device is turned on for the first time, the trojan code (Android.DownLoader.3894) that is embedded into this app decrypts and launches the module. After that, whenever the device is powered on, as well as when the network connectivity is changed, the module is launched automatically.
Upon its launch, the Android.DownLoader.1049.origin connects to the C&C server at hxxps://g[.]sinfoon[.]com:40081/pull with set time intervals. By default, the connection interval is 8 hours but it can be changed with the corresponding server command.
Upon successful connection, the trojan sends a request with the data to the C&C server. The transferred data is packed with GZIP and can include:
- version—trojan module version
- session—a 02 constant
- timestamp—current time
- utdid—a unique UserTrack Device Identity
- appid—a RSOTA_APP_ID value from the app’s metadata
- channel—a RSOTA_CHANNEL_ID value from the app’s metadata
- man—device manufacturer
- mod—device model
- board—device circuit board name
- imei1—IMEI ID for a GSM device
- imei2—IMEI ID for a GSM device
- meid—MEID or ESN ID for a CDMA device
- osv—an OS version installed on the device
- carrier1—a unique IMSI ID of the mobile operator subscriber
- carrier2—a unique IMSI ID of the mobile operator subscriber
- stubver—a 1.0 constant
- implver—a 2 constant
In response, the trojan can receive the following commands and parameters:
- profile—to change general settings:
- pulse—to change the frequency of requests to connect to the C&C server
- enable—to disable the trojan module
- configlist—to change configuration parameters:
- configtype
- typeenable
- captureinterval
- reportinterval
- updd—to download the specified file. Possible parameters are:
- taskid
- version
- objecturi
- objectsize
- icv
The trojan informs the C&C server about tasks execution results at hxxps://g[.]sinfoon[.]com:40081/result.
Device information transmission
During its operation, the Android.DownLoader.1049.origin sends a large amount of data to the C&C server at hxxps://g[.]sinfoon[.]com:40081/data:
- version—the trojan module version
- session—an 02 constant
- utdid—a unique UserTrack Device Identity
- appid—a RSOTA_APP_ID value from the app’s metadata
- channel—a RSOTA_CHANNEL_ID value from the app’s metadata
- man—device manufacturer
- mod—device model
- board—device circuit board name
- imei1—IMEI ID for a GSM device
- imei2—IMEI ID for a GSM device
- meid—MEID or ESN ID for a CDMA device
- os—an OS installed on the device
- osv—an OS version installed on the device
- carrier1—a unique IMSI ID of the mobile operator subscriber
- carrier2—a unique IMSI ID of the mobile operator subscriber
As well as:
- app—appinfo—the information about installed apps:
- pkg—app’s package name
- name—app’s name
- apver—app’s version
- instts—app’s installation date
- usenum—the number of app’s launches
- usedur—the amount of time the app was used
- power—used battery charge
- opents—app’s last launching time
- dev_id—user IDs:
- dpid—Google Play Services Android ID
- mac—a MAC address
- phoneno—a mobile phone number
- iccid1—SIM card ID
- iccid2—SIM card ID
- imsi1—a unique mobile operator subscriber ID
- imsi2—a unique mobile operator subscriber ID
- dev_hw—general device hardware specifications:
- devtype—device type
- hwv—hardware name
- resolution—screen resolution
- lang—default operating system language
- dev_behavior—device usage statistics:
- smsnum—the number of SMS
- contactsnum—the number of the contacts on the phone book
- callnum—the number of phone calls
- traffic—the information about transmitting network traffic:
- totalrx—the amount of incoming traffic
- totaltx—the amount of sent traffic
- dev_loc—geolocation data:
- gps—the location based on the GPS data
- cell—the location based on cellular data
- dev_capa—device hardware usage statistics:
- romusage—the amount of free internal storage
- ramusage—the amount of free RAM
- screenlight—screen brightness level
- conntype—network connection type
- batterylevel—battery charge level
- chargecount—battery charge cycles count
- dischargecur—battery discharge current
- fgu—battery parameters (for devices based on the Spreadtrum CPUs)
- runtime—a total operating time of the device since the last power-on
- process—processes information:
- psn—process name
- bts—process start time
- ets—process end time
- cputemper—CPU temperature
- cpuusage—CPU usage statistics:
- cpuid—a CPU ID
- rate—a CPU load
- freq—a CPU frequency
- signal—the information about the mobile network:
- networktype—a network connection type
- strength—a level of the network signal
- sensor—the information about device sensors:
- sensortype—sensor type
- sensorstatus—if sensor is enabled
- wcn—if Bluetooth, Wi-Fi or GPS is enabled:
- wcntype—a transmitter type
- wcnstatus—the status of the transmitter
- timestamp—current time
- boot—time when the device was powered-on
- More details on Android.DownLoader.3894
- News about the trojan