Threat behavior
TrojanSpy:AndroidOS/Pjapps.A is a detection for an application and trojan that runs on Android OS mobile devices and attempts send sensitive information to a remote server. The trojan could also send SMS messages to other phones and allow limited remote control of the mobile device.
Installation
TrojanSpy:AndroidOS/Pjapps.A may be downloaded and installed manually from an unauthorized Android Apps website as a standard Android package file (.APK) installer for mobile devices running the Android platform. When run, the trojan attempts to send user identifiable data to a remote server. The trojan executes as a service in background.
Payload
Collects and sends sensitive data to a remote server
TrojanSpy:AndroidOS/Pjapps.A collects the following user identifiable information:
-
IMEI code
-
Current phone number
-
Subscriber ID
-
SIM card serial number
The trojan reports its installation and sends the collected sensitive information is sent to a remote server (such as "log.meego91.com"). The trojan also retrieves a list of phone numbers which are used to send SMS messages.
Allows limited remote control of the mobile device
TrojanSpy:AndroidOS/Pjapps.A attempts to retrieve instructions from a remote server, such as "log.meego91.com", which may have following actions:
-
Send specified SMS content and a URL to a phone number retrieved from the remote server
-
Add bookmarks with specified title and URL
-
Download and install a specified .APK files from a specified URL
-
Display a popup window requesting the user to visit a specified URL
In the last action, once a user attempts to visit the URL, the trojan will use one of following browsers to visit the URL, if available, in the following order:
-
com.uc.browser
-
com.tencent.mtt
-
com.opera.mini.android
-
mobi.mgeek.TunnyBrowser
-
com.skyfire.browser
-
com.kolbysoft.steel
-
com.android.browser
Adds bookmarks
TrojanSpy:AndroidOS/Pjapps.A may add following URLs as bookmarks:
Blocks inbound SMS messages
TrojanSpy:AndroidOS/Pjapps.A blocks SMS that may arrive from numbers listed in a private log file named "android.log".
Analysis by Shawn Wang
Prevention