Stiniter Android Trojan uses new techniques (Mar 28, 2012)
SonicWALL UTM Research team received reports of a new sophisticated Trojan targeting the android platform. This Trojan called Stiniter/TGLoader is a modified version of an Android game with an additional malicious service. During our analysis we found that the Trojan was installing multiple modules (ELF and APK), contacting a remote command and control server and sending messages to a premium rate number.
When the rogue application is run, it in turn installs 4 ELF executable modules and 3 android applications. The sequence of events on execution is shown below:
The installed android applications use misleading names and were found to be using the following permissions:
- GoogleService:
- Modify/delete SD card contents
- Read phone state and identity
- Start at boot
- GoogleSMS:
- Send SMS messages
- Read phone state and identity
- Unlock:
- Modify/delete SD card contents
- Read phone state and identity
- Prevent phone from sleeping
- Disable keylock
It performs the following activities:
- It drops the following files and modifies their permission using ‘chmod 777’:
- /data/data/android.gdwsklzz.com/googleservice.apk
- /data/data/android.gdwsklzz.com/googlemessage.apk
- /data/data/android.gdwsklzz.com/unlock.apk
- /data/data/android.gdwsklzz.com/start
- /data/data/android.gdwsklzz.com/initr
- /data/data/android.gdwsklzz.com/keeper
- /data/data/android.gdwsklzz.com/ts
- It disables keyguard and prevents the processor from going to sleep.
- It remounts the /system/ folder on the device with write privileges.
- It sends device information to a remote server:
SonicWALL Gateway AntiVirus provides protection against this threat with the following signature:
