Home / malwarePDF  

Trojan:AndroidOS/Stiniter.A


First posted on 23 May 2012.
Source: Microsoft

Aliases :

Trojan:AndroidOS/Stiniter.A is also known as HEUR:Backdoor.AndroidOS.Stiniter.a (Kaspersky), Backdoor.AndroidOS.Stiniter.B (VirusBuster), Android.SmsSend.384 (Dr.Web), Android/InitrUp (McAfee), Andr/Stiniter-A (Sophos), Android.Stiniter (Symantec), AndroidOS_STINITER.A (Trend Micro).

Explanation :



Trojan:AndroidOS/Stiniter.A is a trojan that affects devices running the Android operating system. It changes certain device settings that allow it to steal information and run other malware.

It may display the following app installation sequence:







When run, Trojan:AndroidOS/Stiniter.A may request for the following permissions:

  • Allow read-only access to the phone's current state
  • Send SMS messages
  • Allow an app to receive the "ACTION_BOOT_COMPLETED" signal, which may increase the amount of time it takes for your device to start, and allows apps to run without your permission or awareness
  • Keep the processor from sleeping or the device's screen from dimming
  • Disables the keyguard


Payload

Steals sensitive information

Trojan:AndroidOS/Stiniter.A gathers the following information, which it then sends to a specific number:

  • IMEI number
  • International Mobile Subscriber Identity (IMSI)
  • Device model
  • Screen size of the device
  • Platform and operating system running on the device


Drops and runs other malware

Trojan:AndroidOS/Stiniter.A drops the following files:

    • /data/data/android.gdwsklzz.com/googleservice.apk
    • /data/data/android.gdwsklzz.com/googlemessage.apk
    • /data/data/android.gdwsklzz.com/start
      • - detected as


Trojan:Linux/Stiniter.A

  • /data/data/android.gdwsklzz.com/initr - detected as Trojan:Linux/Stiniter.A
  • /data/data/android.gdwsklzz.com/ts - detected as Trojan:Linux/Stiniter.A
  • /data/data/android.gdwsklzz.com/keeper - detected as Trojan:Linux/Stiniter.A
  • /data/data/android.gdwsklzz.com/unlock.apk - detected as Trojan:Linux/Stiniter.A


Connects to a server

Trojan:AndroidOS/Stiniter.A connects to the following servers to send and receive other instructions:

  • vhunjie.com/tgloader-android
  • vshenhuo.com/tgloader-android
  • vyidong.com/tgloader-android
  • vliulan.com/tgloader-android




Analysis by Tim Liu

Last update 23 May 2012

 

TOP

Malware :

Family: