1. Skip to navigation
  2. Skip to content
  3. Skip to secondary-content

Where You Are

  1. Labs
  2. Threats
  3. Virus and threat descriptions
  4. Trojan:Android/Smspacem.A

Trojan:Android/Smspacem.A

Name : Trojan:Android/Smspacem.A
Detection Names : Smspacem
Smspacem.A
Category:Malware
Type:Trojan
Platform:Android

Summary

Trojan:Android/Smspacem.A has a date-triggered payload that sends spam SMS messages to contacts listed on the device and changes the wallpaper.

Disinfection

Automatic

F-Secure Mobile Security blocks installation of this program with default settings.



Manual Removal

Trojan:Android/Smspacem.A can be uninstalled by following the steps below:

  • Go to Settings
  • Go to Applications
  • Go to Manage Applications
  • Select the application
  • Press "Clear data"
  • Press "Uninstall"
  • Select "OK" when asked for confirmation and wait

Additional Details

Trojan:Android/Smspacem.A is a trojanized version of a legitimate application currently available on Android Market.



Installation

During installation, Smspacem.A displays the following permission requests:


Trojan:Android/Smspacem.A permission requests


Payload

Smspacem.A has two date-triggered payloads.

If the date is 21st May 2011, Smspacem.A sends one of the following SMS messages to all contacts listed in the phone book:

  • "Cannot talk right now, the world is about to end"
  • "Jebus is way over due for a come back"
  • "Its the Raptures,praise Jebus"
  • "Prepare to meet thy maker,make sure to hedge your bet just in case the Muslims’ were right"
  • "Just saw the four horsemen of the apocalypse and man did they have the worst case of road rage"
  • "Es el fin del mundo"

It changes the wallpaper to an image of an American media personality:


Trojan:Android/Smspacem.A changes the wallpaper

If the date is 22nd May 2011,Smspacem.A sends the following SMS messages to all contacts listed:

  • "Looks like Jebus is a no show, maybe Judaism was on to something"

It also changes the wallpaper to the following image:


Trojan:Android/Smspacem.A changes the wallpaper again

Smspacem.A also contacts the following website using a SOAP request:

  • hxxp://biofaction.no[...].biz/talkto[...].asmx

Once connected, the trojan may receive commands for further operations:

  • If a "formula401" command is received, the trojan attempts to connect to:

    • hxxp://turbobit.[...]/3qijra41b[...].html
    • hxxp://turbobit.[...]/9fzlltk2[...].html
    • hxxp://turbobit.[...]/9c19sk0tc[...].html

  • If a "health" command is received, the trojan sends one of the following SMS messages to all contacts listed:

    • "Cannot talk right now, the world is about to end"
    • "Jebus is way over due for a come back"
    • "Its the Raptures,praise Jebus"
    • "Prepare to meet thy maker, make sure to hedge your bet just in case the Muslims were right"
    • "Just saw the four horsemen of the apocalypse and man did they have the worst case of road rage"
    • "Es el fin del mundo"
    • "I am infected and alive ver 1.00"