Saturday, December 24, 2011

Arspam AlSalah - Android malware (Middle East Hactivism - spammer)

Name:                    Arspam AlSalah.apk
MD5:                     E7584031896CB9485D487C355BA5E545
Sample Credits:    with many thanks to Sanjay Gupta and his friends for sharing, December 24, 2011
Symantec: Android.Arspam
Hactivism goes mobile with Android.Arspam by Stilgherrian

Download  - password infected

 File name:
Alsalah.apk Virustotal
2011-12-24 15:15:18 (UTC)
3/ 43 (7.0%)
Fortinet    4.3.388.0    2011.12.24    Android/Arspam.A!tr
PCTools    2011.12.24    Android.Arspam
Symantec    20111.2.0.82    2011.12.24    Android.Arspam
Additional information
MD5   : e7584031896cb9485d487c355ba5e545

According to Symantec, it can do the following:
When the Trojan is being installed, it requests permissions to perform the following actions:

  • Access location information, such as Cell-ID or WiFi.
  • Access location information, such as GPS information.
  • Access information about networks.
  • Access information about the WiFi state.
  • Collect battery statistics
  • Discover and pair with Bluetooth devices.
  • Disable the device.
  • Broadcast that a package has been removed.
  • Broadcast an SMS receipt notification.
  • Initiate a phone call without using the Phone UI or requiring confirmation from the user.
  • Call any number, without going through the Dialer UI.
  • Access the camera.
  • Change network connectivity state.
  • Change the WiFi state
  • Clear the cache of all installed applications.
  • Clear user data.
  • Enable or disable location updates from the radio.
  • Delete packages.
  • Allow access to low-level power management.
  • Access diagnostic resources.
  • Allows applications to disable the keyguard.
  • Expand and collapse the status bar
  • Run as the root user.
  • Access the flashlight
  • Access hardware peripherals.
  • Inject user events (such as key presses) into a series of events.
  • Install packages.
  • Open network connections.
  • Modify global audio settings.
  • Change the phone state, such as powering it on and off.
  • Mount, unmount, and format removable file systems on removable storage.
  • Make activities persistent
  • Monitor, modify, or end outgoing calls.
  • Read the calendar.
  • Read contact data.
  • Take screenshots
  • Allow access to low-level system logs.
  • Check the phone's current state.
  • Read SMS messages on the device.
  • Reboot the device.
  • Start once the device has finished booting.
  • Monitor incoming MMS messages.
  • Monitor incoming SMS messages.
  • Monitor incoming WAP push notifications.
  • Use the device's mic to record audio.
  • Send SMS messages.
  • Control how activities are started globally on the system.
  • Configure for debugging.
  • Set the rotation of the screen.
  • Set the time zone.
  • Change the background wallpaper and wallpaper hints.
  • Open, close, and disable the status bar.
  • Display system windows.
  • Make the phone vibrate.
  • Prevent processor from sleeping or screen from dimming.
  • Allows applications to write the apn settings.
  • Write to the calendar.
  • Create new contact data.
  • Write to external storage devices.
  • Read or write to the system settings.
  • Create new SMS messages.

The Trojan will gather the contacts on the compromised device and send each one one of the following URLs:

  • [http://][REMOVED]
  • [http://][REMOVED]
  • [http://][REMOVED]
  • [http://][REMOVED]
  • [http://][REMOVED]
  • [http://][REMOVED]
  • [http://][REMOVED]
  • [http://][REMOVED]
  • [http://][REMOVED]
  • [http://][REMOVED]
  • [http://][REMOVED]
  • [http://][REMOVED]
  • [http://][REMOVED]
  • [http://][REMOVED]
  • [http://][REMOVED]
  • [http://][REMOVED]
  • [http://][REMOVED]
  • [http://][REMOVED]

If the device's SIM card is from Bahrain, it will download the following file:

No comments:

Post a Comment