Home / malwarePDF  

TrojanSpy:AndroidOS/FakeSecSuit.A


First posted on 18 July 2012.
Source: Microsoft

Aliases :

TrojanSpy:AndroidOS/FakeSecSuit.A is also known as Android.Fakesecsuit (Symantec), Android/Spy.Zitmo.A (ESET), Trojan-Spy.AndroidOS.Zitmo.a (Kaspersky), TrojanSpy.ANDROID.Zitom.Gen (VirusBuster).

Explanation :



TrojanSpy:AndroidOS/FakeSecSuit.A is a data-stealing trojan that affects mobile devices running the Android operating system. It poses as a security application but the actual intent is to modify settings and steal information about your mobile device which it sends to a remote server via an Internet connection.



Installation

TrojanSpy:AndroidOS/FakeSecSuit.A may be distributed through a website, the Google Play store or via a spam SMS. It poses as a legitimate security application, and in the wild we have seen it use the following file names:

  • criptomovel.apk
  • seguridad.apk


On installation, it requests permission to access your data (including SMS messages and phone call logs), send SMS messages, access the Internet, change your device's settings and perform other functions, as follows:







After successful installation, it can appear as the following application icon on your device:



When you launch the application, it shows a prompt to activate a certain code. This is a fake screen that it displays while it performs its payload in the background, and looks like the following:





Payload

Steals sensitive information

TrojanSpy:AndroidOS/FakeSecSuit.A steals the following information that it saves in a database on your device as /data/data/com.android.security/secsuite.db:

  • Data from SMS messages located in your device's SMS inbox, such as phone numbers, message text, the date and time of messages and so on
  • The device's ID (this is a unique code that identifies your device to your service provider's network)
  • The device's manufacturer
  • The version of the Android operating system installed on your device
  • Your phone number
  • Your Subscriber ID (this is a unique code that identifies your device to websites that you visit)


Connects to a remote server

Using your device's Internet connection, it sends the database information to the remote server hxxp://androidupdate.com/biwdr.php.

Contacts remote host

The application can also receive hidden SMS instructions from the remote server to perform the following:

  • Uninstall the application from your device
  • Check the installed version of the application, detected as TrojanSpy:AndroidOS/FakeSecSuit.A
  • Enable the application or, after checking the version, update and then re-enable the application
Additional information

You can uninstall the application in the same manner as for other Android applications, through the Applications menu in Settings.

The application can also be force-closed through the Task Manager.



Analysis by Marianne Mallen

Last update 18 July 2012

 

TOP

Malware :

Family: