Analysis of the pseudo "Student transcript" Agent Trojan

Analysis of the pseudo "Student transcript" Agent Trojan

Review:

When the graduation season is approaching, student transcript has always been the focus of parents' attention. Alibaba mobile security lab has previously discovered a malicious App disguised as a "transcript" to trick students into recruiting them by text message. For more details, see the trojan Analysis Report in disguise ".

Alibaba money security recently discovered an agent, a variant Trojan disguised as a "student transcript" and "transcript", to trick users into making moves.

Unlike the usual text message Trojan horse theft, the "agent" variant trojan uses a more private transmission method-the agent. After the user installs the trojan, trojans not only send users' text messages, contacts, and other sensitive content to a remote server in real time, but also send spoofed text messages with Trojan links to other users by receiving remote instructions from criminals, while the text message senders with Trojan links seen by other users are the former victims, while criminals are invisible.

1. Trojan Overview

The trojan is mainly characterized by the victim who installed the trojan as the agent. The Trojan developer remotely controls the mobile phone number of the agent of the Trojan to send malicious messages to the specified number through text message instructions, such as Trojan Download Links, malicious spread of trojan software in the circle of friends to steal privacy. Hackers hiding behind the scenes remotely control unknown agents. All the mobile phones controlled by the trojan are stolen, causing great harm.

Ii. Trojan Analysis

2.1 The desktop icon after the trojan is installed on the mobile phone and the running interface for activating the Device Manager:

2.2 The "agent" Trojan will also induce the user to activate the Device Manager and hide the desktop icon after activation. This will allow the user to relax and increase the difficulty of detaching; to prevent attackers from stealing user privacy information:

2.3 After the "agent" Trojan is successfully installed, the hacker will also be prompted "Service Startup" by text message and uploaded to the server ".
We use the packet capture tool to capture packets from the real machine where the trojan is installed. We will share the packet capture with the Code as follows:

2.4 After the trojan is run, it will illegally steal the privacy information of the mobile phone users, such as the mobile phone Address Book, SMS inbox, SMS sending and other private information, and send it back to the server specified by the trojan developer:

2.4.1 this trojan will illegally steal all text messages from the text message inbox of a mobile phone user and upload them all to the server specified by the trojan developer for criminals to extract important private information for illegal profit:

 

2.4.2 this trojan will also illegally steal all text messages sent by text message senders and upload them to the server specified by the trojan developer for further illegal profits:

2.4.3 the trojan will also steal user contacts and upload them to the remote server to provide hackers with the target object for developing the next agent. Hackers will obtain the victim's money through the information they possess, at the same time, the victim's credibility is used to shake and cheat in his circle of friends.

In short, this trojan will illegally steal users' privacy information and upload it back to the server specified by the trojan developer. The Code logic uploaded to the server is as follows:

2.5 criminals remotely manipulate the users who install the Trojan using text message commands. The trojan software extracts the mobile phone number and malicious text message from the command by parsing the SMS command, and intercepts the command text message. Then, according to the parsed malicious text message content, the mobile phone of the Trojan virus in the agent is sent to the specified mobile phone number in the instruction. the malicious behavior of this trojan is characterized by sending malicious text messages containing the download link of the Trojan or other fraud information through the victim proxy; criminals not only protect themselves, but also improve the success rate of fraud and Trojan Horse propagation:

2.6 The logic flow chart of illegal profit-making by hackers using this proxy trojan is shown in:

Iii. Summary:
This trojan is spread by sending text message links as a proxy of the victim. It will induce users to click Download and install, causing user privacy leakage and posing a great security risk. Alibaba money Security Team reminds you Not to easily click the link in the text message, especially the link sent from friends who are familiar with it, to avoid the danger of mobile phone viruses. In addition, Alibaba money security has achieved perfect blocking and removal for such mobile phone viruses. As shown in: