Trojan:AndroidOS/SmsHider.A is a trojan that affects mobile devices running the Android operating system with Custom ROMs installed. It may arrive bundled with legitimate Android applications. It may change the mobile device settings and gather information about the device.
Installation
Trojan:AndroidOS/SmsHider.A may be bundled with legitimate Android applications that have been repackaged to include its malicious code. It may be available for download from the Internet. It uses the same certificates made public by the Android Open Source Project for Custom ROMs, allowing its installation on these affected devices using the permission INSTALL_PACKAGES to run as root.
Payload
Contacts remote host / allows backdoor access and control
Trojan:AndroidOS/SmsHider.A attempts to connect to a remote server at svr.xmstsv.com join a channel and wait for commands. Using this backdoor, the trojan gathers the following information and sends the data encrypted with DES algorithm to this remote server:
- International Mobile Equipment Identity
- International Mobile Subscriber Identity
- Phone number
- Model ID
- SDK (software development kit) version number
- Version number
Monitors SMS
Trojan:AndroidOS/SmsHider.A checks for the substring "106" in the following SMS folders:
The SMS data can then be controlled or modified before sending it out to the intended receiver.
Downloads arbitrary files
AndroidOS/Smshider.A also downloads other possible components and / or update packages silently on the compromised device.
Analysis by Marianne Mallen
