Name: Arspam AlSalah.apk
MD5: E7584031896CB9485D487C355BA5E545
Sample Credits: with many thanks to Sanjay Gupta and his friends for sharing, December 24, 2011
Research: Symantec: Android.Arspam
Hactivism goes mobile with Android.Arspam by Stilgherrian
Download - password infected
File name:
Alsalah.apk Virustotal
2011-12-24 15:15:18 (UTC)
3/ 43 (7.0%)
Fortinet 4.3.388.0 2011.12.24 Android/Arspam.A!tr
PCTools 8.0.0.5 2011.12.24 Android.Arspam
Symantec 20111.2.0.82 2011.12.24 Android.Arspam
Additional information
MD5 : e7584031896cb9485d487c355ba5e545
According to Symantec, it can do the following:
Permissions
When the Trojan is being installed, it requests permissions to perform the following actions:
- Access location information, such as Cell-ID or WiFi.
- Access location information, such as GPS information.
- Access information about networks.
- Access information about the WiFi state.
- Collect battery statistics
- Discover and pair with Bluetooth devices.
- Disable the device.
- Broadcast that a package has been removed.
- Broadcast an SMS receipt notification.
- Initiate a phone call without using the Phone UI or requiring confirmation from the user.
- Call any number, without going through the Dialer UI.
- Access the camera.
- Change network connectivity state.
- Change the WiFi state
- Clear the cache of all installed applications.
- Clear user data.
- Enable or disable location updates from the radio.
- Delete packages.
- Allow access to low-level power management.
- Access diagnostic resources.
- Allows applications to disable the keyguard.
- Expand and collapse the status bar
- Run as the root user.
- Access the flashlight
- Access hardware peripherals.
- Inject user events (such as key presses) into a series of events.
- Install packages.
- Open network connections.
- Modify global audio settings.
- Change the phone state, such as powering it on and off.
- Mount, unmount, and format removable file systems on removable storage.
- Make activities persistent
- Monitor, modify, or end outgoing calls.
- Read the calendar.
- Read contact data.
- Take screenshots
- Allow access to low-level system logs.
- Check the phone's current state.
- Read SMS messages on the device.
- Reboot the device.
- Start once the device has finished booting.
- Monitor incoming MMS messages.
- Monitor incoming SMS messages.
- Monitor incoming WAP push notifications.
- Use the device's mic to record audio.
- Send SMS messages.
- Control how activities are started globally on the system.
- Configure for debugging.
- Set the rotation of the screen.
- Set the time zone.
- Change the background wallpaper and wallpaper hints.
- Open, close, and disable the status bar.
- Display system windows.
- Make the phone vibrate.
- Prevent processor from sleeping or screen from dimming.
- Allows applications to write the apn settings.
- Write to the calendar.
- Create new contact data.
- Write to external storage devices.
- Read or write to the system settings.
- Create new SMS messages.
Functionality
The Trojan will gather the contacts on the compromised device and send each one one of the following URLs:
- [http://]www.dhofaralaezz.com/vb/showthr[REMOVED]
- [http://]www.i7sastok.com/vb/showthr[REMOVED]
- [http://]www.dmahgareb.com/vb/showthr[REMOVED]
- [http://]mafia.clubme.net/t2139[REMOVED]
- [http://]www.4pal.net/vb/showthr[REMOVED]
- [http://]www.howwari.com/vb/showthr[REMOVED]
- [http://]forum.te3p.com/46461[REMOVED]
- [http://]www.htoof.com/vb/t18739[REMOVED]
- [http://]vb.roooo3.com/showthr[REMOVED]
- [http://]www.alsa7ab.com/vb/showthr[REMOVED]
- [http://]www.riyadhmoon.com/vb/showthr[REMOVED]
- [http://]forum.althuibi.com/showthr[REMOVED]
- [http://]www.2wx2.com/vb/showthr[REMOVED]
- [http://]www.mdmak.com/vb/showpo[REMOVED]
- [http://]www.too-8.com/vb/showthr[REMOVED]
- [http://]www.3z1z.com/vb/showthr[REMOVED]
- [http://]www.w32w.com/vb/showpo[REMOVED]
- [http://]forum.65man.com/65man33[REMOVED]
If the device's SIM card is from Bahrain, it will download the following file:
[http://]www.alwasatnews.com/data/2011/3382/BICIrepo[REMOVED]
No comments:
Post a Comment