Library
My library

+ Add to library

Contact us
24/7 Tech support | Rules regarding submitting

Send a message

Your tickets

Profile

Android.DownLoader.1049.origin

Added to the Dr.Web virus database: 2021-10-22

Virus description added:

SHA1 hash:

  • 7c7b9db22cb09f85371a41a2bce6f730b1fce5d9 (libcore.jar)

Dwscription

A trojan module that malicious actors embed into Android apps. For example, it was found in the firmware updating system app of the Elari Kidphone 4G smart watch. The trojan is used to collect and send a large amount of information about Android devices and their users to the C&C server. It can also download various files upon the C&C server command.

Operating routine

The module represents a libcore.jar file that is encrypted and stored in the application package of the main app. When the device is turned on for the first time, the trojan code (Android.DownLoader.3894) that is embedded into this app decrypts and launches the module. After that, whenever the device is powered on, as well as when the network connectivity is changed, the module is launched automatically.

Upon its launch, the Android.DownLoader.1049.origin connects to the C&C server at hxxps://g[.]sinfoon[.]com:40081/pull with set time intervals. By default, the connection interval is 8 hours but it can be changed with the corresponding server command.

Upon successful connection, the trojan sends a request with the data to the C&C server. The transferred data is packed with GZIP and can include:

  • version—trojan module version
  • session—a 02 constant
  • timestamp—current time
  • utdid—a unique UserTrack Device Identity
  • appid—a RSOTA_APP_ID value from the app’s metadata
  • channel—a RSOTA_CHANNEL_ID value from the app’s metadata
  • man—device manufacturer
  • mod—device model
  • board—device circuit board name
  • imei1—IMEI ID for a GSM device
  • imei2—IMEI ID for a GSM device
  • meid—MEID or ESN ID for a CDMA device
  • osv—an OS version installed on the device
  • carrier1—a unique IMSI ID of the mobile operator subscriber
  • carrier2—a unique IMSI ID of the mobile operator subscriber
  • stubver—a 1.0 constant
  • implver—a 2 constant

In response, the trojan can receive the following commands and parameters:

  • profile—to change general settings:
    • pulse—to change the frequency of requests to connect to the C&C server
    • enable—to disable the trojan module
  • configlist—to change configuration parameters:
    • configtype
    • typeenable
    • captureinterval
    • reportinterval
  • updd—to download the specified file. Possible parameters are:
    • taskid
    • version
    • objecturi
    • objectsize
    • icv

The trojan informs the C&C server about tasks execution results at hxxps://g[.]sinfoon[.]com:40081/result.

Device information transmission

During its operation, the Android.DownLoader.1049.origin sends a large amount of data to the C&C server at hxxps://g[.]sinfoon[.]com:40081/data:

  • version—the trojan module version
  • session—an 02 constant
  • utdid—a unique UserTrack Device Identity
  • appid—a RSOTA_APP_ID value from the app’s metadata
  • channel—a RSOTA_CHANNEL_ID value from the app’s metadata
  • man—device manufacturer
  • mod—device model
  • board—device circuit board name
  • imei1—IMEI ID for a GSM device
  • imei2—IMEI ID for a GSM device
  • meid—MEID or ESN ID for a CDMA device
  • os—an OS installed on the device
  • osv—an OS version installed on the device
  • carrier1—a unique IMSI ID of the mobile operator subscriber
  • carrier2—a unique IMSI ID of the mobile operator subscriber

As well as:

  • appappinfo—the information about installed apps:
    • pkg—app’s package name
    • name—app’s name
    • apver—app’s version
    • instts—app’s installation date
    • usenum—the number of app’s launches
    • usedur—the amount of time the app was used
    • power—used battery charge
    • opents—app’s last launching time
  • dev_id—user IDs:
    • dpid—Google Play Services Android ID
    • mac—a MAC address
    • phoneno—a mobile phone number
    • iccid1—SIM card ID
    • iccid2—SIM card ID
    • imsi1—a unique mobile operator subscriber ID
    • imsi2—a unique mobile operator subscriber ID
  • dev_hw—general device hardware specifications:
    • devtype—device type
    • hwv—hardware name
    • resolution—screen resolution
    • lang—default operating system language
  • dev_behavior—device usage statistics:
    • smsnum—the number of SMS
    • contactsnum—the number of the contacts on the phone book
    • callnum—the number of phone calls
    • traffic—the information about transmitting network traffic:
      • totalrx—the amount of incoming traffic
      • totaltx—the amount of sent traffic
  • dev_loc—geolocation data:
    • gps—the location based on the GPS data
    • cell—the location based on cellular data
  • dev_capa—device hardware usage statistics:
    • romusage—the amount of free internal storage
    • ramusage—the amount of free RAM
    • screenlight—screen brightness level
    • conntype—network connection type
    • batterylevel—battery charge level
    • chargecount—battery charge cycles count
    • dischargecur—battery discharge current
    • fgu—battery parameters (for devices based on the Spreadtrum CPUs)
    • runtime—a total operating time of the device since the last power-on
    • process—processes information:
      • psn—process name
      • bts—process start time
      • ets—process end time
    • cputemper—CPU temperature
    • cpuusage—CPU usage statistics:
      • cpuid—a CPU ID
      • rate—a CPU load
      • freq—a CPU frequency
    • signal—the information about the mobile network:
      • networktype—a network connection type
      • strength—a level of the network signal
    • sensor—the information about device sensors:
      • sensortype—sensor type
      • sensorstatus—if sensor is enabled
    • wcn—if Bluetooth, Wi-Fi or GPS is enabled:
      • wcntype—a transmitter type
      • wcnstatus—the status of the transmitter
    • timestamp—current time
    • boot—time when the device was powered-on

Curing recommendations


Android

  1. If the mobile device is operating normally, download and install Dr.Web for Android Light. Run a full system scan and follow recommendations to neutralize the detected threats.
  2. If the mobile device has been locked by Android.Locker ransomware (the message on the screen tells you that you have broken some law or demands a set ransom amount; or you will see some other announcement that prevents you from using the handheld normally), do the following:
    • Load your smartphone or tablet in the safe mode (depending on the operating system version and specifications of the particular mobile device involved, this procedure can be performed in various ways; seek clarification from the user guide that was shipped with the device, or contact its manufacturer);
    • Once you have activated safe mode, install the Dr.Web для Android Light onto the infected handheld and run a full scan of the system; follow the steps recommended for neutralizing the threats that have been detected;
    • Switch off your device and turn it on as normal.

Find out more about Dr.Web for Android