{"id":72524,"date":"2011-08-03T11:18:22","date_gmt":"2011-08-03T11:18:22","guid":{"rendered":"https:\/\/localhost\/wordpress\/?p=72524"},"modified":"2011-08-03T11:18:22","modified_gmt":"2011-08-03T11:18:22","slug":"conversation-spying-android-trojan","status":"publish","type":"post","link":"https:\/\/www.quickheal.com\/blogs\/conversation-spying-android-trojan\/","title":{"rendered":"Conversation spying Android Trojan"},"content":{"rendered":"<div>It seems that Android malware is improving day by day. We have received an interesting malware which can store call logs, record whole conversations and even send them to remote computers owned by malicious controllers.<\/p>\n<p>Most of the previous Android malware we have seen has either sent text messages or made calls to various premium service numbers in order to make some easy money.<\/p>\n<p>This particular Trojan records conversations in AMR format, as allowed by the permissions the user has approved.<\/p>\n<p>When the program is installed it requests permissions to allow it to perform the following actions:<\/p>\n<p>Access Cell-ID and WiFi location<img loading=\"lazy\" decoding=\"async\" class=\"alignright\" src=\"https:\/\/blogs.quickheal.com\/wp-content\/uploads\/archive\/trojan-android-permissions.jpg\" alt=\"\" width=\"250\" height=\"370\" \/><br \/>\nAccess Cell-ID and WiFi updates<br \/>\nAccess GPS location<br \/>\nAccess information about WiFi networks<br \/>\nAllow low-level access to power management<br \/>\nAllow read only access to phone state<br \/>\nAllow the use of PowerManager WakeLocks to keep the processor from sleeping or the screen from dimming<br \/>\nInitiate a phone call without going through the dialer user interface (so that the user is unaware of any outgoing calls made by the Trojan)<br \/>\nMonitor, modify or abort outgoing calls<br \/>\nOpen network sockets<br \/>\nRead SMS messages<br \/>\nRead the user&#8217;s contacts data<br \/>\nRecord audio<br \/>\nSend SMS messages<br \/>\nWrite (but not read) the user&#8217;s contacts data<br \/>\nWrite SMS messages<br \/>\nWrite to external storage<\/p>\n<p>When the Trojan is executed it programs itself to initiate whenever the device starts by waiting for the following command:<br \/>\n<strong>android.permission.ACTION_BOOT_COMPLETED<\/strong><\/p>\n<p>It may then start any of the following services:<\/p>\n<p>GpsService<br \/>\nMainService<br \/>\nRecordService<br \/>\nSocketService<br \/>\nXM_SmsListener<br \/>\nXM_CallListener<br \/>\nXM_CallRecordService<\/p>\n<p>The program then sends an SMS containing the IMEI of the device to the following phone number:<br \/>\n<strong>15859268161<\/strong><\/p>\n<p>It then records the following information:<\/p>\n<p>All phone call content<br \/>\nGPS infomation<br \/>\nReceived SMS messages<br \/>\nSent SMS messages<\/p>\n<p>The above information is written to the SD card in the following location:<br \/>\n<strong>\/sdcard\/shangzhou\/callrecord\/<\/strong><\/p>\n<p>The gathered information is then sent to the following location on port 2018:<br \/>\n<strong>jin.56mo.com<\/strong><\/p>\n<p>The best defense against this sort of malware is to pay attention to the permissions that an application is asking for. Ask yourself &#8211; does this app really need all these capabilities? If in doubt, say no!<\/p>\n<p>Those who have missed our earlier post, we have released our product for Andriod phones. Quick Heal Mobile Security for Android detects the file as <strong>Android.Nickispy.A.<\/strong><\/p>\n<p>To avail the introductory 50% discount offer please visit our <a title=\"Quick Heal Mobile Security\" href=\"https:\/\/www.quickheal.com\/android\"><span style=\"text-decoration: underline;\">Quick Heal Mobile Security page here<\/span><\/a>.<\/p>\n<p>To download the free trial version for your Android device please visit the Android Market after clicking on the following link:<\/p>\n<p><a href=\"https:\/\/market.android.com\/details?id=com.quickheal.platform\"><br \/>\n<img decoding=\"async\" src=\"https:\/\/www.android.com\/images\/brand\/60_avail_market_logo2.png\" alt=\"\" \/><br \/>\n<\/a><\/div>\n<h3><\/h3>\n","protected":false},"excerpt":{"rendered":"<p>It seems that Android malware is improving day by day. We have received an interesting malware which can store call logs, record whole conversations and even send them to remote computers owned by malicious controllers. Most of the previous Android malware we have seen has either sent text messages or made calls to various premium [&hellip;]<\/p>\n","protected":false},"author":22,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[55,24,60],"tags":[56,57,59,61,67,40],"class_list":["post-72524","post","type-post","status-publish","format-standard","hentry","category-android","category-malware","category-smartphone","tag-android-security","tag-droid-defense","tag-mobile-devices","tag-smartphone-security","tag-third-party-apps","tag-trojan"],"aioseo_notices":[],"_links":{"self":[{"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/posts\/72524"}],"collection":[{"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/users\/22"}],"replies":[{"embeddable":true,"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/comments?post=72524"}],"version-history":[{"count":0,"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/posts\/72524\/revisions"}],"wp:attachment":[{"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/media?parent=72524"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/categories?post=72524"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/tags?post=72524"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}