NEWS FROM THE LAB - Wednesday, March 2, 2011

New Pjapps Variant Posted by Response @ 01:38 GMT

A Chinese version of the "Steamy Window" application for Android was recently found repackaged with a malicious routine (Symantec has a good post on it). It appears the malware creator(s) favor this application, as they have already come out with a new variant, which is detected as Trojan:Android/Pjapps.B.

A quick look at this variant shows that the malicious functionalities remain mostly the same, including sending SMS, installing an application, adding bookmarks, and receiving commands from a C&C server.

Here are some screenshots comparing Trojan:Android/Pjapps.A and Trojan:Android/Pjapps.B:

Pjapps.A installation

Pjapps.B installation

And here's a quick view of the code for both variants, showing clearly enough that Pjapps.A (left) is the original version, with Pjapps.B (right) being "version 2":

Pjapps info

Perhaps the most visible change seen is that the new version "automatically starts at boot".

This is hardly the first trojanized Android app we've seen (Trojan:Android/Adrd.A). Still, it's one more sign that Android malware is on the rise and maybe not too surprisingly, the focal point for it seems to be China.

Our Android product detects these two variants with the latest database update.

Response Post by — Zimry