Home / malware Android.Sandorat
First posted on 08 November 2014.
Source: SymantecAliases :
There are no other names known for Android.Sandorat.
Explanation :
Android package file
The Trojan may arrive as a package with the following characteristics:
Package name:
com.gn.cleanmasterprocom.rootuninstaller.ramboosterprocom.piriform.ccleanercom.jasmcole.wifisolvercom.zero1.sandroratcom.gmail.heagoo.apkeditor.procom.zero1.sandroratcom.and.games505.TerrariaPaidcom.flyersoft.moonreaderpcom.devasque.fmountcom.appstar.callrecorderprocom.mg.android APK:
AndroidCleaner.apkSmartRAMBooster.apkCCleaner.apkWiFi Solver FDTD v2.4.apkAPK Editor Pro v1.1.6.apkSandroRat.apkFolder_mount.apkDroidJack.jarAutomatic_call.apkweatherpro_premium_v3.5.apkVersion: Varies
Name: Varies
Permissions
When the Trojan is being installed, it requests permissions to perform the following actions:
Read SMS messages on the device. Monitor incoming SMS messages. Open network connections. Use the device's mic to record audio. Read from external storage.Write to external storage devices.Access information about the WiFi state. Check the phone's current state. Create new SMS messages. Access location information, such as GPS information. Access location information, such as Cell-ID or WiFi. Access information about networks. Access the camera. Create new contact data. Read user's contacts data. Send SMS messages. Read user's call log. Write the user's contacts data.Access the list accounts in the Accounts Service.Read user's browsing history and bookmarks. Start once the device has finished booting. Prevent processor from sleeping or screen from dimming. Initiate a phone call without using the Phone UI or requiring confirmation from the user.Access list of current or recently running tasks. Change network connectivity state.
Installation
The Trojan arrives packaged with other trojanized applications and will display the icon of the application it was installed with.
Functionality
The Trojan is a remote administration tool (RAT) that arrives packaged with other trojanized applications.
The Trojan may open a back door on the compromised device, and connect to one of the following locations:
adamat.ddns.net195.3.144.121supervisor.ntdll.netchj6420.ddns.netantony989.ddns.net
The Trojan may steal the following information from the compromised device:
Call logsSMS messagesContact listBrowser historyBooksmarksGPS locationWhatsapp contact listWhatsapp messagesSerial numberDevice numberDevice brandMobile number The Trojan may perform the following actions:
Add contactsDelete contactsAdd SMS messagesDelete SMS messagesSend SMS messagesRecord callsRecord environment soundsTakes picturesRecord videosDownload updates of itselfDownload updates of other applicationsCheck if the compromised device is rootedLast update 08 November 2014
