Name: Arspam AlSalah.apk
Sample Credits: with many thanks to Sanjay Gupta and his friends for sharing, December 24, 2011
Research: Symantec: Android.Arspam
Hactivism goes mobile with Android.Arspam by Stilgherrian
Download - password infected
2011-12-24 15:15:18 (UTC)
3/ 43 (7.0%)
Fortinet 4.3.388.0 2011.12.24 Android/Arspam.A!tr
PCTools 126.96.36.199 2011.12.24 Android.Arspam
Symantec 20188.8.131.52 2011.12.24 Android.Arspam
MD5 : e7584031896cb9485d487c355ba5e545
According to Symantec, it can do the following:
When the Trojan is being installed, it requests permissions to perform the following actions:
- Access location information, such as Cell-ID or WiFi.
- Access location information, such as GPS information.
- Access information about networks.
- Access information about the WiFi state.
- Collect battery statistics
- Discover and pair with Bluetooth devices.
- Disable the device.
- Broadcast that a package has been removed.
- Broadcast an SMS receipt notification.
- Initiate a phone call without using the Phone UI or requiring confirmation from the user.
- Call any number, without going through the Dialer UI.
- Access the camera.
- Change network connectivity state.
- Change the WiFi state
- Clear the cache of all installed applications.
- Clear user data.
- Enable or disable location updates from the radio.
- Delete packages.
- Allow access to low-level power management.
- Access diagnostic resources.
- Allows applications to disable the keyguard.
- Expand and collapse the status bar
- Run as the root user.
- Access the flashlight
- Access hardware peripherals.
- Inject user events (such as key presses) into a series of events.
- Install packages.
- Open network connections.
- Modify global audio settings.
- Change the phone state, such as powering it on and off.
- Mount, unmount, and format removable file systems on removable storage.
- Make activities persistent
- Monitor, modify, or end outgoing calls.
- Read the calendar.
- Read contact data.
- Take screenshots
- Allow access to low-level system logs.
- Check the phone's current state.
- Read SMS messages on the device.
- Reboot the device.
- Start once the device has finished booting.
- Monitor incoming MMS messages.
- Monitor incoming SMS messages.
- Monitor incoming WAP push notifications.
- Use the device's mic to record audio.
- Send SMS messages.
- Control how activities are started globally on the system.
- Configure for debugging.
- Set the rotation of the screen.
- Set the time zone.
- Change the background wallpaper and wallpaper hints.
- Open, close, and disable the status bar.
- Display system windows.
- Make the phone vibrate.
- Prevent processor from sleeping or screen from dimming.
- Allows applications to write the apn settings.
- Write to the calendar.
- Create new contact data.
- Write to external storage devices.
- Read or write to the system settings.
- Create new SMS messages.
The Trojan will gather the contacts on the compromised device and send each one one of the following URLs:
If the device's SIM card is from Bahrain, it will download the following file: