CardingMafia Admin
04-21-2013, 10:32 AM
On the 4th of June 2012 we found 3 APK files of ~207 kb in size each heuristically detected by our engine as HEUR:Trojan-Spy.AndroidOS.Zitmo.a. All these applications are malicious and were created to steal incoming SMS messages from infected devices. SMS messages will be uploaded to a remote server whose URL is encrypted and stored inside the body of the Trojan. We found 3 more APK files with exactly the same functionality on 8th, 13th and 14th of June. So there are at least 6 files which pretend to be ‘Android Security Suite Premium’ but in fact were created only for stealing incoming SMS messages.
After the infection there is a blue shield icon in the menu with the name ‘Android Security Suite Premium
http://www.securelist.com/en/images/pictures/klblog/208193605.png
cajamar.apk
b1ae0d9a2792193bff8c129c80180ab0
5e43837a72ff33168df7c877b07a3c89ad64b82a2719be1cd2 601be552b07114
d1cf8ab0987a16c80cea4fc29aa64b56.apk
302c060432907e506643d39b7981df16a61c61b84981bcec37 9fa8c5b2ec6a99
banesto.apk
a1593777ac80b828d2d520d24809829d
8473f9c732d3e026d79c866b47342b39b502ad0ee8859a345c 5b61e199372ddc
e9068f116991b2ee7dcd6f2a4ecdd141.apk
e9068f116991b2ee7dcd6f2a4ecdd141 99621de457d2ff5d192cd7b27f64f3c7ad64aab2e60ad22610 076850aaa2828c
6ddaae38a49cefcb1445871e0955bef3.apk
638840b9c2567c3434d10c9ee474318e1e328df7813cc6a24b ed15560354ee44
2dfccca5a9cdf207fb43a54b2194e368.apk
ceb54cba2561f62259204c39a31dc204105d358a1a10cee37d e889332fe6aa27
On the 4th of June 2012 we found 3 APK files of ~207 kb in size each heuristically detected by our engine as HEUR:Trojan-Spy.AndroidOS.Zitmo.a. All these applications are malicious and were created to steal incoming SMS messages from infected devices. SMS messages will be uploaded to a remote server whose URL is encrypted and stored inside the body of the Trojan. We found 3 more APK files with exactly the same functionality on 8th, 13th and 14th of June. So there are at least 6 files which pretend to be ‘Android Security Suite Premium’ but in fact were created only for stealing incoming SMS messages.
After the infection there is a blue shield icon in the menu with the name ‘Android Security Suite Premium:
http://www.securelist.com/en/images/pictures/klblog/208193605.png
If the application is launched it will show a generated ‘activation code:
http://www.securelist.com/en/images/pictures/klblog/208193606.png
It is also important to mention that these malicious apps are able to receive commands for uninstalling themselves, stealing system information and enabling/disabling the malicious applications. Let’s be honest, such functionality (the ability to receive and execute commands and the ability to steal SMS messages) is not that new for mobile (Android) malware. But there was a feeling that there was something more behind these files.
We found 6 different C&Cs in these APK files. Here is the list of them:
android*****.com
android2u*****.com
androidve*****.net
android-s*****.net
soft2u*****.com
updatean*****.biz
If you try to ‘whois’ the first 5 domains you won’t find a lot of interesting or useful information. But here is what you get when you whois the last C&C domain:
[img[http://www.securelist.com/en/images/pictures/klblog/208193607.png[/img]
Yes, it’s fake data but if you continue to google for e.g. [email protected] you will find out that there are more domains which were registered back in 2011 using the same fake data.
For example,
favoritopi*****.com,
akteriak*****.com,
basepol*****.com
justdongwf3*****.info.
All these domains were found in our ZeuS C&C database.
So, there is new piece of Android malware which steals incoming SMS messages and uploads them to the remote server. One of the remote server domains was registered using the same fake data which was used for registering ZeuS C&Cs back in 2011.
http://www.mediafire.com/?xbxq66amt3dcqnr
pwd:infected
After the infection there is a blue shield icon in the menu with the name ‘Android Security Suite Premium
http://www.securelist.com/en/images/pictures/klblog/208193605.png
cajamar.apk
b1ae0d9a2792193bff8c129c80180ab0
5e43837a72ff33168df7c877b07a3c89ad64b82a2719be1cd2 601be552b07114
d1cf8ab0987a16c80cea4fc29aa64b56.apk
302c060432907e506643d39b7981df16a61c61b84981bcec37 9fa8c5b2ec6a99
banesto.apk
a1593777ac80b828d2d520d24809829d
8473f9c732d3e026d79c866b47342b39b502ad0ee8859a345c 5b61e199372ddc
e9068f116991b2ee7dcd6f2a4ecdd141.apk
e9068f116991b2ee7dcd6f2a4ecdd141 99621de457d2ff5d192cd7b27f64f3c7ad64aab2e60ad22610 076850aaa2828c
6ddaae38a49cefcb1445871e0955bef3.apk
638840b9c2567c3434d10c9ee474318e1e328df7813cc6a24b ed15560354ee44
2dfccca5a9cdf207fb43a54b2194e368.apk
ceb54cba2561f62259204c39a31dc204105d358a1a10cee37d e889332fe6aa27
On the 4th of June 2012 we found 3 APK files of ~207 kb in size each heuristically detected by our engine as HEUR:Trojan-Spy.AndroidOS.Zitmo.a. All these applications are malicious and were created to steal incoming SMS messages from infected devices. SMS messages will be uploaded to a remote server whose URL is encrypted and stored inside the body of the Trojan. We found 3 more APK files with exactly the same functionality on 8th, 13th and 14th of June. So there are at least 6 files which pretend to be ‘Android Security Suite Premium’ but in fact were created only for stealing incoming SMS messages.
After the infection there is a blue shield icon in the menu with the name ‘Android Security Suite Premium:
http://www.securelist.com/en/images/pictures/klblog/208193605.png
If the application is launched it will show a generated ‘activation code:
http://www.securelist.com/en/images/pictures/klblog/208193606.png
It is also important to mention that these malicious apps are able to receive commands for uninstalling themselves, stealing system information and enabling/disabling the malicious applications. Let’s be honest, such functionality (the ability to receive and execute commands and the ability to steal SMS messages) is not that new for mobile (Android) malware. But there was a feeling that there was something more behind these files.
We found 6 different C&Cs in these APK files. Here is the list of them:
android*****.com
android2u*****.com
androidve*****.net
android-s*****.net
soft2u*****.com
updatean*****.biz
If you try to ‘whois’ the first 5 domains you won’t find a lot of interesting or useful information. But here is what you get when you whois the last C&C domain:
[img[http://www.securelist.com/en/images/pictures/klblog/208193607.png[/img]
Yes, it’s fake data but if you continue to google for e.g. [email protected] you will find out that there are more domains which were registered back in 2011 using the same fake data.
For example,
favoritopi*****.com,
akteriak*****.com,
basepol*****.com
justdongwf3*****.info.
All these domains were found in our ZeuS C&C database.
So, there is new piece of Android malware which steals incoming SMS messages and uploads them to the remote server. One of the remote server domains was registered using the same fake data which was used for registering ZeuS C&Cs back in 2011.
http://www.mediafire.com/?xbxq66amt3dcqnr
pwd:infected