Home / malwarePDF  

Trojan:AndroidOS/SmsHider.A


First posted on 13 September 2011.
Source: SecurityHome

Aliases :

Trojan:AndroidOS/SmsHider.A is also known as Android.Trojan.JSmsHider2.A (BitDefender), Android.SmsHider.1 (Dr.Web), Android/JSmsHider.A trojan (ESET), Backdoor.AndroidOS.Xsider.b (Kaspersky), Andr/AdSMS-C (Sophos), Android.Jsmshider (Symantec), AndroidOS_SPYBAT.A (Trend Micro).

Explanation :

Trojan:AndroidOS/SmsHider.A is a trojan that affects mobile devices running the Android operating system with Custom ROMs installed. It may arrive bundled with legitimate Android applications. It may change the mobile device settings and gather information about the device.


Top

Trojan:AndroidOS/SmsHider.A is a trojan that affects mobile devices running the Android operating system with Custom ROMs installed. It may arrive bundled with legitimate Android applications. It may change the mobile device settings and gather information about the device.



Installation

Trojan:AndroidOS/SmsHider.A may be bundled with legitimate Android applications that have been repackaged to include its malicious code. It may be available for download from the Internet. It uses the same certificates made public by the Android Open Source Project for Custom ROMs, allowing its installation on these affected devices using the permission INSTALL_PACKAGES to run as root.



Payload

Contacts remote host / allows backdoor access and control

Trojan:AndroidOS/SmsHider.A attempts to connect to a remote server at svr.xmstsv.com join a channel and wait for commands. Using this backdoor, the trojan gathers the following information and sends the data encrypted with DES algorithm to this remote server:

  • International Mobile Equipment Identity
  • International Mobile Subscriber Identity
  • Phone number
  • Model ID
  • SDK (software development kit) version number
  • Version number


Monitors SMS

Trojan:AndroidOS/SmsHider.A checks for the substring "106" in the following SMS folders:

  • Conversations
  • Inbox
  • Sent


The SMS data can then be controlled or modified before sending it out to the intended receiver.

Downloads arbitrary files

AndroidOS/Smshider.A also downloads other possible components and / or update packages silently on the compromised device.



Analysis by Marianne Mallen

Last update 13 September 2011

 

TOP