Trojan:AndroidOS/Hundreix.A

Trojan:AndroidOS/Hundreix.A is a trojan that runs on Android OS devices such as mobile phones. It captures and sends information about the phone to an SMS number.

Installation

In the wild, Trojan:AndroidOS/Hundreix.A was maliciously distributed to an unknown number of mobile numbers as a security update for the phone. When the installer was run, it requested the following permissions of the mobile device:

• android.permission.READ_SMS
• android.permission.WRITE_SMS
• android.permission.SEND_SMS
• android.permission.RECEIVE_SMS
• android.permission.RECEIVE_BOOT_COMPLETED
• android.permission.ACCESS_NETWORK_STATE
• android.permission.BROADCAST_PACKAGE_REMOVED
• android.permission.BROADCAST_PACKAGE_ADDED
• android.permission.ACCESS_WIFI_STATE
• android.permission.CHANGE_WIFI_STATE
• android.permission.WAKE_LOCK
• android.permission.INTERNET
• android.permission.WRITE_EXTERNAL_STORAGE
• android.permission.READ_PHONE_STATE
• android.permission.WAKE_LOCK
• android.permission.DEVICE_POWER
• android.permission.WRITE_APN_SETTINGS

The trojan deletes the original SMS message received that contains the fake update. The SMS message could have originated from one of the following SMS numbers:

• 10086
• 1062
• 1065

Payload

Downloads configuration data
The trojan attempts to download a configuration data file from a server "adsms.itodo.cn" as the following:

• /sdcard/Tencent/smsConfig.xml

Captures and sends phone data

The trojan sends the following data to an attacker for collection:

• IMEI SystemSDK
• Phone number
• Phone model

Downloads and installs update

The malware could update itself by downloading an update of the trojan code from a specified IP address, such as "61.164.109.77".

Analysis by Tim Liu