Home / malwarePDF  

Trojan:AndroidOS/GGSmart.A


First posted on 18 February 2012.
Source: Microsoft

Aliases :

Trojan:AndroidOS/GGSmart.A is also known as Android.Smart (Dr.Web), Android/GGSmart.A (ESET), Andr/GGSmart-A (Sophos), RootSmart (other), Android.BMaster (Symantec).

Explanation :

Trojan:AndroidOS/GGSmart.A is a trojan that affects devices running Android OS, such as certain mobile phones. The trojan sends device data to a remote server and may download other malware. The trojan may be bundled in other apps that are downloaded from third-party Android markets.


Top

Trojan:AndroidOS/GGSmart.A is a trojan that affects devices running Android OS, such as certain mobile phones. The trojan sends device data to a remote server and may download other malware. The trojan may be bundled in other apps that are downloaded from third-party Android markets.



Installation

This trojan may be bundled in other apps that are downloaded from third-party Android markets. Upon installation, it displays the following information on the device, outlining its capabilities and requirements:



Trojan:AndroidOS/GGSmart.A is capable of performing the following actions:

  • Accessing the device's SD card (including modifying and deleting the card contents)
  • Modifying the device's settings and system files
  • Gaining highest privilege on the device's operating system via exploit
  • Downloading and installing other arbitrary and potentially malicious files onto the device
  • Sending phone information to a remote server


Payload

Downloads arbitrary files
The Trojan:AndroidOS/GGSmart.A installer contains encrypted files named "data_2" and "data_3". These files contain the C&C server address from where the trojan can download other possibly malicious applications. The downloaded files may be saved as "shells.zip" and can contain a GingerBreak exploit (CVE-2011-1823) which is executed by a script contained in the code. The exploit is capable of rooting the phone which can provide a vector to silently install other possibly malicious Android package (.APK) files and not trigger user suspicion.

Sends device data to a remote server
The malware may gather the following information stored on the device to send to a remote server via HTTP POST

  • Device ID (IMEI)
  • Process ID (PID) of the malware application
  • Package ID of the malware application
  • Package name of the malware application




Analysis by Marianne Mallen

Last update 18 February 2012

 

TOP

Malware :

Family: