Home / malwarePDF  

Android.Ghostpush


First posted on 03 October 2015.
Source: Symantec

Aliases :

There are no other names known for Android.Ghostpush.

Explanation :

Android package file
The Trojan may arrive as a package with the following characteristics:

Package name: com.android.wp.net.log

Permissions
When the Trojan is being installed, it requests permissions to perform the following actions:
Access information about networksAccess information about the Wi-Fi stateChange Wi-Fi connectivity stateOpen network connectionsWrite to external storage devicesCheck the phone's current stateKill background processesInstall a shortcutGain superuser accessAccess the cameraRead or write to the system settingsAccess the list of accounts in the Accounts ServiceDetect when the phone is unlockedAccess to MediaTek hardware


Installation
Once installed, the application will not display an icon.

Functionality
The Trojan attempts to root the compromised device.

The Trojan may run the following DEX file:
protect.apk
The Trojan may then connect to the following remote location:
[http://]api.hdyfhpoi.com[REMOVED]
Next, the Trojan may gather the following information from the compromised device and send it to a remote location:
MAC AddressDevice languageInternational Mobile Station Equipment Identity (IMEI) numberInternational Mobile Subscriber Identity (IMSI) number
The Trojan may modify the following file:
/system/etc/install-recovery.sh
The Trojan may then perform malicious activities on the compromised device.

Last update 03 October 2015

 

TOP