As usual, the first hint of its nature comes in its requested permissions:
On execution, the trojan leaks the following details to http://[...]6.antiddos.biz:
• International Mobile Equipment Identity (IMEI) • Package Name • Phone number • Phone model
These details are also stored in the app package's res\raw folder.
Additionally, when the app is run, if the user clicks the button on the bottom of the screen, SMS messages are sent out to specified premium rate phone numbers — all numbers so far have used the Russia country country code, often specifically the Moscow area. The SMS messages all contain the following text string:
The trojan also downloads a package named love_position_v1.5.0.apk from a remote site: (SHA1: 9cb4cc996fb165055e57e53ab5293c48567e9765)
In our testing, the sample failed to run on the phone to which it was downloaded due to a parsing error:
However, standalone analysis of the downloaded package on a separate, clean test phone showed that it has almost the same behavior as Trojan:Android/SMStado.A, though this one also starts a malicious service in the background on booting up:
Our second malware is Trojan:Android/FakeNotify.A.
It pretends to be an update notifier application. These are the permissions used by the app and how it looks when it is installed on the phone:
Note: Though both Stados.A and FakeNotify.A have the same name (установка), Google Translate says this just means "installation". We think this just indicates that a generic word was used to name these apps, rather than being indicative of a relationship between these malware variants.
Once installed and executed, it displays a message that asks the userís permission to download an application, using the name of a popular mobile game to catch the user's interest:
After clicking the "next" button, FakeNotify immediately sends out three sets of SMS messages in the background. The messages are sent to premium-rate phone numbers in Russia, and contain a text string in the following format:
• [24 digit string].1/316623
The SMS details used came from the database file embedded from the application.
Meanwhile, the user will not see any application download. Instead, another screen will appear that can lead to a website that offers more apps that could potentially be malicious as well: