Defend what you create

Other Resources

Close

Library
My library

+ Add to library

Contact us
24/7 Tech support | Rules regarding submitting

Send a message

Your tickets

Profile

Android.Titan.1

Added to the Dr.Web virus database: 2015-03-17

Virus description added:

A Trojan infecting Android mobile devices. It is intended to send SMS messages and make phone calls covertly, as well as to collect all sorts of confidential information. Unlike most Android Trojans, this malware concentrates all its malicious features in a special Unix library while the Android.Titan.1 dex file is used as an auxiliary component. Once Android.Titan.1 is installed on the target device, it creates a shortcut on the home screen and waits for the user to launch it.

screen

After it is launched by the owner of the infected Android device, the Trojan removes its previously created icon. It also removes the last SMS dialogue stored in the device memory and starts the com/Titanium/Synchronous/praesunt malicious service. Later launches of Android.Titan.1 are performed automatically at each startup.

Being successfully executed, com/Titanium/Synchronous/praesunt starts the com/Titanium/Synchronous/adipiscing service that, in turn, can perform the following features:

  • «MAINSTART»
  • «MSGUPLOAD»
  • «SCRUPLOAD»
  • «VOCUPLOAD»

The “MAINSTART” feature

Provides the cyclical start of com/Titanium/Synchronous/praesunt, thus maintaining a permanent Trojan's activity. In addition, this feature checks which application is a default SMS Manager, and if it is not Android.Titan.1, it tries to assign it as a default manager using the android.provider.Telephony.ACTION_CHANGE_DEFAULT standard system function.

Is also sends the following information about the compromised mobile device to the command and control server:

  • OS version
  • User's mobile number
  • Data on network connection
  • MAC address
  • IMEI
  • IMSI

In return, the server can send commands to:

  • Start the com/Titanium/Synchronous/desine service that searches and killes all processes related to the com.kakao.talk application
  • Start the com/Titanium/Synchronous/factum service that spoofs phone numbers in the phone book
  • Change the device's mode dial (silent, vibro call or ordinary) and set the dial volume level
  • Start the com/Titanium/Synchronous/factum service that sends SMS messages to a specified number
  • Start the com/Titanium/Synchronous/factum service that calls to a specified number (during the call, the screen of the device stays inactive similarly to standby mode)
  • Send the information (names and corresponding phone numbers), that is stored in the contact list, to the server
  • Start the com/Titanium/Magister/posursum service that demonstrates a specified text and accompanying images in the notification bar

The “MSGUPLOAD” feature

Collects information about all inbound SMS messages (sender, date and time of sending) and downloads the received information to the command and control server. If it is impossible to establish connection with the server, the information is stored in a local database and is sent later.

The “SCRUPLOAD” feature

Monitors the status of the device's screen (active or standby mode) and sends this data to the server.

The “VOCUPLOAD” feature

Collects information about the user's calls and send this data to the server.

The com.Titanium.Accipite.pipeline service

Starts in the fillowing cases:

  • When the SMS is received. In this case, the service checks inbound messages and hides some parts of them (according to Trojan's settings) from the user. The information about all inbound SMS messages is sent to the command and control server using the "MSGUPLOAD" feature.
  • When the operating system is loaded. In this case, the service activates the Trojan's main service using the "MAINSTART" feature.
  • The Trojan monitors every minute the device's status and checks whether the user calls. If so, the call is recorded into the amr file and placed in the Android.Titan.1 working directory. After this, using the com/Titanium/Synchronous/adipiscing service with the "VOCUPLOAD" parameter, it is sent to the server. In the same manner, the screen's status is monitored and the received information is sent to the server using the "SCRUPLOAD" feature.

The Trojan is able to block certain calls and automatically take calls. In addition, the related information about the phone conversations is removed from the system logs.

Curing recommendations


Android

  1. If the mobile device is operating normally, download and install Dr.Web for Android Light. Run a full system scan and follow recommendations to neutralize the detected threats.
  2. If the mobile device has been locked by Android.Locker ransomware (the message on the screen tells you that you have broken some law or demands a set ransom amount; or you will see some other announcement that prevents you from using the handheld normally), do the following:
    • Load your smartphone or tablet in the safe mode (depending on the operating system version and specifications of the particular mobile device involved, this procedure can be performed in various ways; seek clarification from the user guide that was shipped with the device, or contact its manufacturer);
    • Once you have activated safe mode, install the Dr.Web для Android Light onto the infected handheld and run a full scan of the system; follow the steps recommended for neutralizing the threats that have been detected;
    • Switch off your device and turn it on as normal.

Find out more about Dr.Web for Android

The Russian developer of Dr.Web anti-viruses

Doctor Web has been developing anti-virus software since 1992

Dr.Web is trusted by users around the world in 200+ countries

The company has delivered an anti-virus as a service since 2007

24/7 tech support

© Doctor Web
2003 — 2019

Doctor Web is the Russian developer of Dr.Web anti-virus software. Dr.Web anti-virus software has been developed since 1992.

2-12А, 3rd street Yamskogo polya, Moscow, Russia, 125040