SHA1
- cc832d04b6b7fd5f3fcf7265fc2f091a426a3351 – com.adups.fota package
- 2f01be010f04cd7f7744932b1d30cfbfe000ad09 – com.adups.fota.sysoper package
Android.Spy.332.origin is an application that updates firmwares of Android devices over the air (OTA)—thus, it has extended system privileges and functions. This application can covertly download, install, and remove software programs, execute shell commands, transmit information about memory space on internal and external storages of mobile devices as well as a list of installed applications. Initially, the program was not designed for malicious activity; however, one of its latest versions which was preinstalled on some smartphones (for example, BLU R1 HD), started performing Trojan functions, which were implemented in the associated program packages com.adups.fota (main package) and com.adups.fota.sysoper (auxiliary package).
Every 72 hours, Android.Spy.332.origin sends the following data to the command and control server:
- getSmsInPhone – information on existing SMS messages;
- getCallLogList – information on made phone calls;
- getMessageData – content of SMS messages;
- getCellIDInfo (getBaseStationId/getCid) – information on the current mobile operator station;
- mapNetworkTypeToType ("UNKNOWN";"GPRS";"EDGE"; "UMTS";"CDMA"; "EVDO_0"; "EVDO_A";"1xRTT"; "HSDPA";"HSUPA";"HSPA";"IDEN"; "EVDO_B"; "LTE"; "EHRPD";"HSPAP";"WIFI") – information on a mobile network type;
- getRomMemroy – information on internal memory space;
- getRamUsedDetail – information on RAM amount;
- getSDCardMemorySize – information on SD card memory space;
- isRootSystem – information on availability of root privileges;
- querySysAppInfo – information on the installed system applications;
- queryDataAppInfo – information on the installed user applications;
- getRunningProcess – information on the running processes;
- getDfBrowser – information on a current default browser;
- getDfLauncher – information on the current default graphical shell;
- hasShortCut – information on all existing shortcuts on the home screen.
To collect data on SMS messages and phone calls, the main module of Android.Spy.332.origin requests to the auxiliary one, in which the content provider is activated under the name com.ad.dinfo. The auxiliary module helps obtain access to content://com.ad.dinfo/msg. The main module eventually gets access to all SMS messages (content://sms). Using the same technique, the Trojan also gets access to the phone call history.
All information collected by the Trojan is saved to SQLite-like databases which are then transformed into JSON, saved in one directory, and are sent to the remote server as a zip archive. All transferred data is encrypted with a Base64 key first and then with a DES key.
The Trojan sends data in the following format:
- DcMobileStatus.json – {cell, apn, romused, ramused, builtinsdused, scused, root, dctime} – general information about a mobile device;
- DcApp.json – {systemapps, dataapps, appused, dflauncher, dfbrowser, desktopshortcut, dctime} – information about the installed applications;
- DcTellMessage.json – {tells, messages, dctime} – information about the phone calls and a list of contacts involving into SMS messaging;
- DcAppOp.json – {packagename, op, optime} – information about the history of installing and removing of applications;
- dc_app_flow.json – {appname, pkg_name, flow, dctime} – amount of data sent and received by applications once the system is booted;
- dc_msg_key.json – {tell, md5, msg_type, dc_type, keyword, msg_date, dc_date} – information about SMS messages including their content;
- DcRootInfo.json – {bin, xbin} – information about all files located in the system catalogs system/bin and system/xbin.