Trojan:AndroidOS/Denofow.A is a trojan that affects mobile devices that run the Android operating system. It may arrive in the device as part of a repackaged application. It sends out SMS messages to all entries in the device's address book, and may also change the device wallpaper, depending on the current date.
Installation
When run, Trojan:AndroidOS/Denofow.A may display the following installation details:
Payload
Connects to a remote server
Trojan:AndroidOS/Denofow.A connects to the webpage "biofaction.no-ip.biz/talktome.asmx" via Simple Object Access Protocol (SOAP) within a minute of first execution, and every 33 minutes thereafter to check for the following replies from the server:
If it receives the reply "formula401", it sends out the following SMS message to all of the entries in the device's address book:
You have to download this and thank me later <URL>
where <URL> may be any of the following:
- turbobit.net/3qijra41byed.html
- turbobit.net/9fzlltk2eptu.html
- turbobit.net/9c19sk0tcg8z.html
If it receives the reply "health", it deletes SMS messages coming from the server by checking the origin of the SMS. It does this to avoid detection by the user.
Sends SMS messages
If the current date of the device is May 21, 2011, Trojan:AndroidOS/Denofow.A sends out SMS messages to all of the entries in the user's address book. The messages are stored in a file named "mydb.db" and may include the following:
- "Cannot talk right now, the world is about to end"
- "Jebus is way over due for a come back"
- "Its the Raptures,praise Jebus"
- "Prepare to meet thy maker, make sure to hedge your bet just in case the Muslims were right"
- "Just saw the four horsemen of the apocalypse and man did they have the worst case of road rage"
- "Es el fin del mundo"
If the current date of the device is May 22, 2011, it sends out the following SMS message to all of the entries in the user's address book:
- "Looks like Jebus is a no show, maybe Judaism was on to something"
Changes device wallpaper
Once installed, Trojan:AndroidOS/Denofow.A checks if the current date is May 21, 2011. If so, it changes the device wallpaper to the following:
If the date is May 22,2011, it changes the wallpaper to the following:
Additional information
Trojan:AndroidOS/Denofow.A attempts to perform an HTTP GET request to the site "www.comedycentral.com" to submit feeds with a predefined URI containing strings from its created file "mydb.db".
Analysis by Marianne Mallen
