Softpedia
 
HomepageWindowsGamesDriversMacLinuxScripts buttonMobileHandheldNews

NEWS CATEGORIES:



NEWS ARCHIVE >>
SOFTPEDIA REVIEWS >>
MEET THE EDITORS >>
TRENDING TODAY
Home > News > Security > Virus alerts

April 30th, 2012, 12:04 GMT · By

Cybercriminals Control Android TigerBot Via SMS

SHARE:

Adjust text size:

Tigerbot deactivation screen
Enlarge picture
At the beginning of April, security researchers found that a number of shady Chinese Android stores were pushing apps that masked a piece of malware called TigerBot (ANDROIDOS_TIGERBOT.EVL).

Also known as Spyera, the malicious element was analyzed by Trend Micro experts. They discovered that the malware was controlled by its masters via SMS or phone calls, being capable of performing a number of tasks, including call recording and GPS tracking.

The list of commands accepted by TigerBot includes DEBUG, CHANGE_IAP, PROCESS_LIST_ADD, PROCESS_LIST_DELETE, ACTIVE, and DEACTIVE.

Let’s take a better look at these commands. First, DEBUG allows the cybercriminals to learn the names of the currently running processes, TigerBot’s configuration, and check the network status.

When the malware receives the CHANGE_IAP command, it connects to the network by changing the infected device’s Access Point Name. Depending on whether the action is successful or not, the attacker receives an SMS with the task’s status.

The codes for PROCESS_LIST_ADD and PROCESS_LIST_DELETE don’t seem to be complete, but the keywords are basically designed to manage processes. The processes added to the list are killed every 5 minutes.

The ACTIVE command, as you may suspect, activates TigerBot. When the string is sent, the malicious element sends an HTTP POST containing the phone’s IMEI, app key, timestamp and signature to the backend server.

In order to deactivate TigerBot, a phone call to *#[key] must be placed.

There is another list of SMS commands that can be sent to the malware. For instance, UPLOAD_NETWORKINFO returns GSM and CDMA location. SEND_MSG_TO_TARGET sends an SMS to a certain number with arbitrary content.

If the cybercrooks want to restart the device or take a screenshot, they can use commands such as RESTART_DEVICE and CAPTURE_IMAGE.

Android users who want to verify if a TigerBot infection is present can send a DEBUG command to the phone. To do this, simply take another phone, write "* *" in a text message and send it to the device you want to check. If a list of processes is returned, you are a victim.


2,313 hits
Link to this article · Print article · Send to friend

MUST-READ RELATED ARTICLES:


Fake “GTA 10th Anniversary Edition” Installs SMS Trojan
Google Play Serves Malicious Legend of Zelda and Counter Terrorism Games
5,000 Malicious Android Apps Identified in Q1, 2012
Malicious “The Movie” Apps Served on Google Play
Android Users Targeted with Rogue Instagram Apps

READER COMMENTS:



No user comments yet.
Be the first to express your opinion!
Copyright © 2001-2013 Softpedia. Contact/Tip us at

WindowsGamesDriversMacLinuxScriptsMobileHandheldNews

SUBMIT PROGRAM   |   ADVERTISE   |   GET HELP   |   SEND US FEEDBACK   |   RSS FEEDS   |   UPDATE YOUR SOFTWARE   |   ROMANIAN FORUM
© 2001 - 2013 Softpedia. All rights reserved.
Softpedia® and the Softpedia® logo are
registered trademarks of SoftNews NET SRL.		 Copyright Information | Privacy Policy | Terms of Use