Home / malware Android.Fakemrat
First posted on 27 January 2016.
Source: SymantecAliases :
There are no other names known for Android.Fakemrat.
Explanation :
Android package file
The Trojan may arrive as a package with the following characteristics:
Package name: com.view.openpdf
Version number: 1.0
Permissions
When the Trojan is being installed, it requests permissions to perform the following actions: Access information about networksAccess information about the W-iFi stateOpen network connectionsCheck the phone's current stateRedirect phone calls to a different number or end phone callsPlace an outgoing callRead user's contact dataRead SMS messagesWrite to external storage devicesAccess low-level system logsRead user's call logMount and unmount file systemsRecord audioAccess location information, such as GPS informationAccess location information, such as Cell-ID or Wi-FiAccess list of accountsManage accounts on the deviceStart once the device has finished bootingEnd background processesAllow all possible interactions across usersAccess the camera
Installation
Once installed, the application will display a red icon with the text "PDF FOTOSEARCH" in white.
Functionality
When the Trojan is executed, it opens a .pdf file within the application.
Next, the Trojan connects to the following remote location through TCP port 3728: ziba.lenovositegroup.com
The Trojan may then perform the following actions: Open a remote shellRecord from the camera and microphoneRecord phone callsUpload and download filesInstalls additional apps
The Trojan may also gather the following details: Lists of accounts, apps, and running processesDevice informationNetwork informationLocation dataContact dataPhotosSMS messagesLast update 27 January 2016
