trustgo blog

On Oct 17th 2012, TrustGo Security Labs uncovered a new malware on Google Play, named Trojan!FakeLookout.A.

Figure 1

This malware hides itself in the full Application List after installation. It only shows up in the Downloaded app list where it uses Lookout’s icon and the name “Updates”.

Figure 2

This malware can receive and execute commands from remote server.

Server address:

hxxp://[hidden]press.com/controls.php

Commands:

clearFileList

getDir

clearAlarm

getFile

getSize

getTexts

According to remote server’s commands, the malware can steal user’s SMS messages and MMS messagesand upload them to remote server via secure FTP. It will also upload the complete file list from the user’s SD card to the remote server. Then remote server will control the malware to upload specific files. This is a severe threat to user’s privacy and sensitive data.

TrustGo Security Labs successfully accessed the FTP server and discovered uploaded files from some victims. The following is the root directory of the FTP server.

Figure 3

Upon exploring the directories, TrustGo Security Labs found a variety of SMS messages and video files from victims.

 

Figure 4

Based on the static analysis of code and the evidence found on the server, TrustGo positively identified the app as containing malware.

Based on IP address, the server is located in Colorado in the United States.

Further investigation shows remote server hosts a malicious website!

It dropped a backdoor Trojan file (Figure 5) and runs shell code in Windows Powershell. Once the Trojan opens a backdoor, it waits for further commands.

 

Figure 5

The malicious website is targeting multiple platforms including Windows, Mac and Unix/Linux operating systems (see figure 6). It will drop different Trojan files depending on the user’s operating system.

 

Figure 6

The hacker is attacking multiple platforms including Windows, Mac, Unix/Linux operating system and Android. The Android malware found on Google Play is just a part of the attack.