Android.Stiniter

Type:

Trojan

Infection Length:

620,826 bytes

Android.Stiniter is a Trojan horse for Android devices that sends SMS messages to a premium-rate phone number.

Android package file The Trojan may arrive as a package with one of the following names:

APK: android.qpgly.com
Service name: .service.PlayerBindService

APK: android.gdwsklzz.com
Service name: com.gamebox.service.GameUpdateService 

This threat may be downloaded and installed from a third-party Android marketplace.

Android package file The Trojan may arrive as a package with one of the following names:

APK: android.qpgly.com
Service name: .service.PlayerBindService

APK: android.gdwsklzz.com
Service name: com.gamebox.service.GameUpdateService

It then installs apps with the following names:

APK: googlemessage.apk
Service name: .AndoidService

APK: googleservice.apk
Service name: .GoogleUpdateService

APK: unlock.apk
Service name: .GoogleWake


Permissions
The dropped apps request permissions to perform the following actions:

• Check the phone's current state.
• Send SMS messages.
• Start once the device has finished booting.
• Prevent processor from sleeping or screen from dimming.
• Allows applications to disable the keyguard.

Functionality
The Trojan has functionality to perform the following actions:

• Send SMS messages to a premium-rate phone number.
• Run when device starts.
• Execute included ARM executables.
• Collect data, including IMEI, IMSI, phone model, screen size, platform, phone number, and OS version.
• Monitor and log incoming SMS messages.
• Remount directories to escalate privileges.
• Unlock the screen.

It may the attempt to contact the following URLs:

• [http://]www.vhunjie.com/tgloader-android/[REMOVED]
• [http://]www.vshenhuo.com/tgloader-android/[REMOVED]
• [http://]www.vyidong.com/tgloader-android/[REMOVED]
• [http://]www.vliulan.com/tgloader-android/[REMOVED]