SHA1 hash:
- ce71efb93cf4d79bf431d8edfbae7b8b7b55fe44
Description
This trojan spyware for Android devices was detected in a version of the Alpine Quest cartographic program. This version had been modified by threat actors to include a spy that collects and sends them confidential user data, including location information and phonebook contacts.
Operating routine
When the program is first launched, Android.Spy.1292.origin requests permission to access the external storage and other necessary permissions; it also requests that the battery optimization function be disabled for the app.
After acquiring all the permissions it needs, Android.Spy.1292.origin logs user contact data and information about all the files in the external storage; the collected information is written into vocabularies in the spy’s working directory resp_dir.
Android.Spy.1292.origin uses Parse SDK to collect and exchange data with its C&C server. The trojan creates a separate thread via the Serv class. In this thread, the connection to the server is initialized, using the following hardcoded parameters:
- C&C server address (hxxps[:]//detect-infohelp[.]com/parse/);
- App ID;
- Client key.
Next, it updates the general user information and registers the device on the C&C server. The trojan calls the connectToBase method, which collects and sends the following data:
- Current date;
- User mobile phone number and user accounts;
- App version.
The trojan then calls the sendDataToSrv method to send files to the C&C server. It crawls the directory resp_dir and sends the server the objects available to it with the collected data:
- The log containing data about the files;
- The log containing data about the phonebook’s contacts.
After that, Android.Spy.1292.origin calls the requestTask method to check whether additional malicious modules are available for download from the C&C server. If the server confirms that modules are available, the trojan downloads them and dynamically executes them via DexClassLoader. While analysing the trojan, we discovered, among other things, modules for stealing attacker-specified user files—particularly, confidential documents.
Next, the trojan uses the pingTele method to duplicate information about the user in the Telegram bot hxxps[:]//api[.]telegram[.]org/bot****95****:****hij-*****_Z5*****HijN4y*****/. The following data is sent to it:
- Current date;
- User mobile phone number and user accounts;
- App version.
Android.Spy.1292.origin also monitors the geolocation of an infected device and any changes in its location via GPS and mobile networks, sending the corresponding information to the C&C server and the Telegram bot. Location logging is performed every time the app is launched and via the onLocationChanged method, which is called when the location changes.
Moreover, the noteLocation method is implemented in the trojan. The spy uses it to record all the locations to a separate file. If this file’s size exceeds 100 megabytes, it is deleted and replaced with a new one.
