Home / malwarePDF  

Android.Fakelogin


First posted on 22 October 2015.
Source: Symantec

Aliases :

There are no other names known for Android.Fakelogin.

Explanation :

Android package file
The Trojan may arrive as a package with the following characteristics:

Package name: com.android.innus
Version number: 1.0
App name: Settings (IN RUSSIAN)

Permissions
When the Trojan is being installed, it requests permissions to perform the following actions: Open network connectionsCreate new SMS messagesRead SMS messages on the deviceSend SMS messagesMonitor incoming SMS messagesPrevent processor from sleeping or screen from dimmingCheck the phone's current stateStart once the device has finished bootingAccess information about networksChange network connectivity stateAccess list of accountsAccess list of current or recently running tasksDisplay alertsEnd background processesDisable KeyGuard, which can be used to lock or unlock the keypadRead user's contacts dataInitiate a phone call without using the Phone UI or requiring confirmation from the userAccess location information, such as Cell-ID or Wi-FiAccess location information, such as GPS informationRead user's call logRead browser history and bookmarksRead or write to the system settings
Installation
Once installed, the application will display an icon with the top half of the Android mascot. However, it will hide this icon if it successfully registers itself as the device administrator.


Functionality
The Trojan may arrive through a downloader threat that could have previously compromised the device.

When the Trojan is executed, it displays an error message and asks the user to replace the default SMS app with its software.

The Trojan then tries to register itself as the device administrator under a legitimate app name such as "Google Play". If the Trojan is granted these permissions, it hides its icon.

Next, the Trojan downloads a list of legitimate apps from the following remote location:[http://]sikddhffg.com
The Trojan waits until the user opens an app that's on the list. If this happens, the Trojan displays a customized phishing page over the app's interface. The page uses the branding of the targeted app to trick users into submitting their login credentials.



If the user tries to log in through this phishing page, then their login credentials will be sent to the attacker's remote location.

Last update 22 October 2015

 

TOP

Malware :

Family: