Source: Cert lab
I. Basic Information
Virus name: Trojan/Android. Raden. a [SMS]
Virus Type: SMS deduction Trojan
Sample MD5: acbcad1_94de7e877b656db1c28ada2
Sample Length: 782,964 bytes
Time detected: 2011.05.12
Infected systems: Android 1.5 and later
Ii. Overview
Raden Trojans appear on the official Google market of Android phones. They are disguised as a calendar software named iCalendar (Chinese name "Rabbit Calendar") and actually send fee deduction text messages. Specifically, when the user browses the calendar month of May, the software will send a text message with the content of "921X1" to number 1066185829, which is a paid service number. In addition, Raden intercepts text messages sent from numbers such as 10086, 10010, 10000, and 1066185829. Therefore, users cannot find that mobile phones are maliciously charged.
The Raden trojan was found on the official market for at least 23 days. Subsequently, Google deleted all 13 software released by the author "zsone. This is because the DroidDream Trojan (also known as Rootcager) once again showed malicious code in the official market since its outbreak in early March this year.
You canDownloadThe avl sdk for Android mobile anti-virus software provided by CERT can detect and clear this trojan.
Iii. sample features
1. Sensitive Permissions
Android. permission. RECEIVE_SMS receives SMS messages
Android. permission. SEND_SMS sends text messages
2. entry points and malicious modules
Activity com. mj. iCalendar. iCalendar, yes ProgramThe main activity, which contains the code to send a fee deduction text message to the specified number.
The Receiver com. mj. iCalendar. SmsReceiver is triggered by the android. provider. Telephony. SMS_RECEIVED event to intercept text messages sent from a specified number.
3. Sensitive string
Intercepted numbers: "10086", "10000", "10010", "1066185829", "1066133", and "106601412004"
Number and content of the target Sender: "1066185829" and "921X1"
4. enable the Service
None
5. networking features
None
Iv. Behavior Analysis
1. Interception Information
When a user's mobile phone receives a text message, the receiver com. mj. iCalendar. smsReceiver is started to verify and intercept the number of the information sent. If the number of the sent information comes from any one of 10086, 10000, 10010, 1066185829, 1066133, the abortBroadcast () event is automatically called to intercept the user, so that the user cannot obtain the verification code or its related information, affecting its functions and business applications. The specific malicious code is as follows:
2. send information to a specified number
When a user starts the "Rabbit Calendar" software and clicks the screen five times (that is, the first time he switches to the calendar details on January 1, May), the malicious code is started, send the message "921X1" to the specified number "1066185829", and update the value of State in the current system to "Y" Through save () to ensure that only one message is sent.
Trigger CallThe image (month) Switch event, the Code is as follows:
The code for triggering a message sending call is as follows:
The Code is as follows:
The code for triggering an event that updates the state value is as follows:
Clear Solution
You can download the avl sdk for Android mobile anti-virus software provided by CERT to detect and clear this Trojan
