Android Analysis Report Corona App.apk

Overview

General Information

Sample Name: Corona App.apk
Analysis ID: 451801
MD5: d68d75b1a3de31aa8ab8a0884cbf7417
SHA1: c69c51d524cf871794ece1d1eef2181c0938f208
SHA256: d6cf06cd34f50317131591268d23ef266c01bf3f758893568f10204825cc3369
Tags: apksigned
Infos:

Most interesting Screenshot:

Detection

Score: 84
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus / Scanner detection for submitted sample
Multi AV Scanner detection for submitted file
Deletes call logs/history
Forces setting a new device unlock password
May wipe phone data
Monitors outgoing Phone calls
Removes its application launcher (likely to stay hidden)
Tries to get accessibilty permissions (for UI automation)
Uses command line tools to install new APKs
Accesses android OS build fields
Checks an internet connection is available
Checks if a SIM card is installed
Checks if the device administrator is active
Creates SMS data (e.g. PDU)
Detected TCP or UDP traffic on non-standard ports
Dials phone numbers
Enables or disables WIFI
Executes native commands
Found suspicious command strings (may be related to BOT commands)
Has functionalty to add an overlay to other apps
Has permission to change the WIFI configuration including connecting and disconnecting
Has permission to draw over other applications or user interfaces
Has permission to execute code after phone reboot
Has permission to perform phone calls in the background
Has permission to query the list of currently running applications
Has permission to read contacts
Has permission to read the SMS storage
Has permission to read the call log
Has permission to read the default browser history
Has permission to read the phones state (phone number, device IDs, active call ect.)
Has permission to receive SMS in the background
Has permission to record audio in the background
Has permission to take photos
Has permission to terminate background processes of other applications
Has permissions to create, read or change account settings (inlcuding account password settings)
Has permissions to monitor, redirect and/or block calls
Installs a new wake lock (to get activate on phone screen on)
May access the Android keyguard (lock screen)
Monitors incoming Phone calls
Monitors incoming SMS
Obfuscates method names
Opens an internet connection
Performs DNS lookups (Java API)
Queries a list of installed applications
Queries camera information
Queries stored mail and application accounts (e.g. Gmail or Whatsup)
Queries the SIM provider ISO country code
Queries the SIM provider name (SPN - Service Provider Name)
Queries the SIM provider numeric MCC+MNC (mobile country code + mobile network code)
Queries the WIFI MAC address
Queries the phones location (GPS)
Queries the unique operating system id (ANDROID_ID)
Queries the unqiue device ID (IMEI, MEID or ESN)
Records audio/media
Requests potentially dangerous permissions
Requests root access
Sets an intent to the APK data type (used to install other APKs)
Starts/registers a service/receiver on phone boot (autostart)
Tries to add a new device administrator

Classification

AV Detection:

barindex
Antivirus / Scanner detection for submitted sample
Source: Corona App.apk Avira: detected
Multi AV Scanner detection for submitted file
Source: Corona App.apk Virustotal: Detection: 59% Perma Link
Source: Corona App.apk ReversingLabs: Detection: 55%

Location Tracking:

barindex
Queries the phones location (GPS)
Source: com.android.tester.C11$24;->run:306 API Call: android.telephony.TelephonyManager.getCellLocation
Source: com.android.tester.C11;->c:1096 API Call: android.telephony.TelephonyManager.getCellLocation
Source: com.android.tester.C15$1;->onLocationChanged:3 API Call: android.location.Location.getLongitude
Source: com.android.tester.C15$1;->onLocationChanged:6 API Call: android.location.Location.getLatitude
Source: com.android.tester.C15;->a:45 API Call: android.location.LocationManager.getLastKnownLocation
Source: com.android.tester.C15;->a:46 API Call: android.location.Location.getLongitude
Source: com.android.tester.C15;->a:47 API Call: android.location.Location.getLatitude
Source: com.android.tester.C15;->a:75 API Call: android.location.LocationManager.getLastKnownLocation
Source: com.android.tester.C15;->a:76 API Call: android.location.Location.getLongitude
Source: com.android.tester.C15;->a:77 API Call: android.location.Location.getLatitude

Privilege Escalation:

barindex
Forces setting a new device unlock password
Source: com.android.tester.C11;->k:312 API Call: android.app.admin.DevicePolicyManager.resetPassword
Checks if the device administrator is active
Source: com.android.tester.C7;->c:23 API Call: android.app.admin.DevicePolicyManager.isAdminActive
Source: com.android.tester.C7$1;->run:19 API Call: android.app.admin.DevicePolicyManager.isAdminActive
Source: com.android.tester.C7$1;->run:42 API Call: android.app.admin.DevicePolicyManager.isAdminActive
Source: com.android.tester.c;->a:17 API Call: android.app.admin.DevicePolicyManager.isAdminActive
Requests root access
Source: com.android.tester.C7$2;->run:41 API Call: java.lang.Runtime.exec ("su")
Source: com.android.tester.C7;->d:54 API Call: java.lang.Runtime.exec ("su")
Source: com.android.tester.b;->a:9 API Call: java.lang.Runtime.exec ("su")
Tries to add a new device administrator
Source: com.android.tester.C7$1;->run:21 API Call: android.content.Intent.<init> android.app.action.ADD_DEVICE_ADMIN
Source: Lcom/android/tester/C7$1;->run()V Method string: "android.app.action.ADD_DEVICE_ADMIN"

Spreading:

barindex
Has permission to change the WIFI configuration including connecting and disconnecting
Source: submitted apk Request permission: android.permission.CHANGE_WIFI_STATE
Source: com.android.tester.C1;->a:14 API Call: android.os.Environment.getExternalStorageDirectory
Source: com.android.tester.C1;->onAccessibilityEvent:155 API Call: android.os.Environment.getExternalStorageState
Source: com.android.tester.C1;->onAccessibilityEvent:159 API Call: android.os.Environment.getExternalStorageDirectory
Source: com.android.tester.C11$25;->run:10 API Call: android.os.Environment.getExternalStorageDirectory
Source: com.android.tester.C11$26;->run:7 API Call: android.os.Environment.getExternalStorageDirectory
Source: com.android.tester.C11$4;->run:7 API Call: android.os.Environment.getExternalStorageDirectory
Source: com.android.tester.C11$4;->run:14 API Call: android.os.Environment.getExternalStorageDirectory
Source: com.android.tester.C11$4;->run:17 API Call: android.os.Environment.getExternalStorageDirectory
Source: com.android.tester.C11$4;->run:25 API Call: android.os.Environment.getExternalStorageDirectory
Source: com.android.tester.C11$4;->run:33 API Call: android.os.Environment.getExternalStorageDirectory
Source: com.android.tester.C11$4;->run:41 API Call: android.os.Environment.getExternalStorageDirectory
Source: com.android.tester.C11$4;->run:51 API Call: android.os.Environment.getExternalStorageDirectory
Source: com.android.tester.C11;->A:42 API Call: android.os.Environment.getExternalStorageDirectory
Source: com.android.tester.C7$2;->run:6 API Call: android.os.Environment.getExternalStorageState
Source: com.android.tester.C7$2;->run:10 API Call: android.os.Environment.getExternalStorageDirectory

Networking:

barindex
Checks an internet connection is available
Source: com.android.tester.a;->e:192 API Call: android.net.ConnectivityManager.getNetworkInfo
Source: com.android.tester.a;->e:193 API Call: android.net.NetworkInfo.getState
Source: com.android.tester.C11$24;->run:356 API Call: android.net.wifi.WifiManager.getConnectionInfo
Source: com.android.tester.C11$24;->run:700 API Call: android.net.wifi.WifiManager.isWifiEnabled
Source: com.android.tester.C11$24;->run:713 API Call: android.net.wifi.WifiManager.isWifiEnabled
Source: com.android.tester.C11;->b:951 API Call: android.net.wifi.WifiManager.isWifiEnabled
Source: com.android.tester.C11;->b:964 API Call: android.net.wifi.WifiManager.isWifiEnabled
Source: com.android.tester.a;->a:103 API Call: android.net.ConnectivityManager.getActiveNetworkInfo
Source: com.android.tester.a;->a:104 API Call: android.net.ConnectivityManager.getActiveNetworkInfo
Source: com.android.tester.a;->a:108 API Call: android.net.wifi.WifiManager.getConnectionInfo
Source: com.android.tester.a;->e:195 API Call: android.net.ConnectivityManager.getNetworkInfo
Source: com.android.tester.a;->e:196 API Call: android.net.NetworkInfo.getState
Detected TCP or UDP traffic on non-standard ports
Source: global traffic TCP traffic: 192.168.2.30:56068 -> 8.8.4.4:853
Source: global traffic TCP traffic: 192.168.2.30:48958 -> 46.246.84.12:5214
Enables or disables WIFI
Source: com.android.tester.C11;->g:1195 API Call: android.net.wifi.WifiManager.setWifiEnabled
Source: com.android.tester.C11;->g:1196 API Call: android.net.wifi.WifiManager.setWifiEnabled
Source: com.android.tester.C11;->g:1197 API Call: android.net.wifi.WifiManager.setWifiEnabled
Opens an internet connection
Source: com.android.tester.C11$23;->run:77 API Call: java.net.Socket.connect("androidmedallo.duckdns.org/46.246.84.12:5214")
Source: com.android.tester.C11$23;->run:77 API Call: java.net.Socket.connect("androidmedallo.duckdns.org/46.246.84.12:5214")
Source: com.android.tester.C11$23;->run:77 API Call: java.net.Socket.connect("androidmedallo.duckdns.org/46.246.84.12:5214")
Source: com.android.tester.C11$23;->run:77 API Call: java.net.Socket.connect("androidmedallo.duckdns.org/46.246.84.12:5214")
Source: com.android.tester.C11$23;->run:77 API Call: java.net.Socket.connect("androidmedallo.duckdns.org/46.246.84.12:5214")
Source: com.android.tester.C11$23;->run:77 API Call: java.net.Socket.connect("androidmedallo.duckdns.org/46.246.84.12:5214")
Source: com.android.tester.C11$23;->run:77 API Call: java.net.Socket.connect("androidmedallo.duckdns.org/46.246.84.12:5214")
Source: com.android.tester.C11$23;->run:77 API Call: java.net.Socket.connect("androidmedallo.duckdns.org/46.246.84.12:5214")
Source: com.android.tester.C11$23;->run:77 API Call: java.net.Socket.connect("androidmedallo.duckdns.org/46.246.84.12:5214")
Source: com.android.tester.C11$23;->run:77 API Call: java.net.Socket.connect("androidmedallo.duckdns.org/46.246.84.12:5214")
Source: com.android.tester.C11$23;->run:77 API Call: java.net.Socket.connect("androidmedallo.duckdns.org/46.246.84.12:5214")
Source: com.android.tester.C11$23;->run:77 API Call: java.net.Socket.connect("androidmedallo.duckdns.org/46.246.84.12:5214")
Source: com.android.tester.C11$23;->run:77 API Call: java.net.Socket.connect("androidmedallo.duckdns.org/46.246.84.12:5214")
Source: com.android.tester.C11$8;->run:41 API Call: java.net.Socket.connect (not executed)
Source: com.android.tester.C5$1;->run:36 API Call: java.net.Socket.connect (not executed)
Source: com.android.tester.a;->a:4 API Call: java.net.URL.openConnection (not executed)
Performs DNS lookups (Java API)
Source: com.android.tester.C11$23;->run:37 API Call: java.net.InetAddress.getByName (URL: "androidmedallo.duckdns.org")
Source: com.android.tester.C11$8;->run:31 API Call: java.net.InetAddress.getByName (not executed)
Source: com.android.tester.C5$1;->run:31 API Call: java.net.InetAddress.getByName (not executed)
Source: unknown TCP traffic detected without corresponding DNS query: 216.58.212.170
Source: unknown TCP traffic detected without corresponding DNS query: 142.250.186.163
Source: unknown TCP traffic detected without corresponding DNS query: 216.58.212.170
Source: unknown TCP traffic detected without corresponding DNS query: 142.250.186.163
Source: unknown TCP traffic detected without corresponding DNS query: 216.58.212.170
Source: unknown TCP traffic detected without corresponding DNS query: 142.250.186.163
Source: unknown TCP traffic detected without corresponding DNS query: 142.250.186.42
Source: unknown TCP traffic detected without corresponding DNS query: 142.250.153.188
Source: unknown TCP traffic detected without corresponding DNS query: 142.250.153.188
Source: unknown TCP traffic detected without corresponding DNS query: 142.250.153.188
Source: unknown TCP traffic detected without corresponding DNS query: 142.250.153.188
Source: unknown TCP traffic detected without corresponding DNS query: 142.250.153.188
Source: unknown TCP traffic detected without corresponding DNS query: 142.250.153.188
Source: unknown TCP traffic detected without corresponding DNS query: 142.250.153.188
Source: unknown TCP traffic detected without corresponding DNS query: 142.250.153.188
Source: unknown TCP traffic detected without corresponding DNS query: 142.250.203.110
Source: unknown TCP traffic detected without corresponding DNS query: 142.250.203.110
Source: unknown TCP traffic detected without corresponding DNS query: 142.250.203.110
Source: unknown TCP traffic detected without corresponding DNS query: 142.250.203.110
Source: unknown TCP traffic detected without corresponding DNS query: 142.250.203.110
Source: unknown TCP traffic detected without corresponding DNS query: 142.250.203.110
Source: unknown TCP traffic detected without corresponding DNS query: 142.250.203.110
Source: unknown TCP traffic detected without corresponding DNS query: 142.250.203.110
Source: unknown TCP traffic detected without corresponding DNS query: 142.250.203.110
Source: unknown TCP traffic detected without corresponding DNS query: 142.250.203.110
Source: unknown TCP traffic detected without corresponding DNS query: 216.58.212.170
Source: unknown TCP traffic detected without corresponding DNS query: 142.250.186.163
Source: unknown TCP traffic detected without corresponding DNS query: 46.246.84.12
Source: unknown TCP traffic detected without corresponding DNS query: 46.246.84.12
Source: unknown TCP traffic detected without corresponding DNS query: 46.246.84.12
Source: unknown TCP traffic detected without corresponding DNS query: 46.246.84.12
Source: unknown TCP traffic detected without corresponding DNS query: 46.246.84.12
Source: unknown TCP traffic detected without corresponding DNS query: 46.246.84.12
Source: unknown TCP traffic detected without corresponding DNS query: 46.246.84.12
Source: unknown TCP traffic detected without corresponding DNS query: 46.246.84.12
Source: unknown TCP traffic detected without corresponding DNS query: 216.58.212.170
Source: unknown TCP traffic detected without corresponding DNS query: 142.250.186.163
Source: unknown TCP traffic detected without corresponding DNS query: 46.246.84.12
Source: unknown TCP traffic detected without corresponding DNS query: 46.246.84.12
Source: unknown TCP traffic detected without corresponding DNS query: 46.246.84.12
Source: unknown TCP traffic detected without corresponding DNS query: 46.246.84.12
Source: unknown TCP traffic detected without corresponding DNS query: 46.246.84.12
Source: unknown TCP traffic detected without corresponding DNS query: 46.246.84.12
Source: unknown TCP traffic detected without corresponding DNS query: 46.246.84.12
Source: unknown TCP traffic detected without corresponding DNS query: 46.246.84.12
Source: unknown TCP traffic detected without corresponding DNS query: 46.246.84.12
Source: unknown TCP traffic detected without corresponding DNS query: 46.246.84.12
Source: unknown TCP traffic detected without corresponding DNS query: 46.246.84.12
Source: unknown TCP traffic detected without corresponding DNS query: 46.246.84.12
Source: unknown TCP traffic detected without corresponding DNS query: 46.246.84.12
Source: abc_tint_btn_checkable.xml String found in binary or memory: http://schemas.android.com/apk/res-auto
Source: abc_action_menu_layout.xml String found in binary or memory: http://schemas.android.com/apk/res-auto((android.support.v7.widget.ActionMenuView
Source: chat.xml, abc_ic_clear_material.xml String found in binary or memory: http://schemas.android.com/apk/res/android
Source: android String found in binary or memory: https://www.google.com
Source: unknown Network traffic detected: HTTP traffic on port 39602 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50870 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 34844
Source: unknown Network traffic detected: HTTP traffic on port 34844 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50458 -> 443

Key, Mouse, Clipboard, Microphone and Screen Capturing:

barindex
Has permission to record audio in the background
Source: submitted apk Request permission: android.permission.RECORD_AUDIO
Has permission to take photos
Source: submitted apk Request permission: android.permission.CAMERA
Records audio/media
Source: com.android.tester.C11$33;->run:101 API Call: android.media.AudioRecord.startRecording
Source: com.android.tester.C11;->a:128 API Call: android.media.AudioRecord.startRecording
Source: com.android.tester.C11$33;->run:27 API Call: android.media.AudioRecord.<init>
Source: com.android.tester.C11$33;->run:37 API Call: android.media.AudioRecord.<init>
Source: com.android.tester.C11$33;->run:47 API Call: android.media.AudioRecord.<init>
Source: com.android.tester.C11$33;->run:57 API Call: android.media.AudioRecord.<init>
Source: com.android.tester.C11$33;->run:67 API Call: android.media.AudioRecord.<init>
Source: com.android.tester.C11$33;->run:74 API Call: android.media.AudioRecord.<init>
Source: com.android.tester.C11;->a:125 API Call: android.media.AudioRecord.<init>

E-Banking Fraud:

barindex
Has functionalty to add an overlay to other apps
Source: com.android.tester.C5;->onCreate:95 API Call: WindowManager.addView
Has permission to query the list of currently running applications
Source: submitted apk Request permission: android.permission.GET_TASKS

Spam, unwanted Advertisements and Ransom Demands:

barindex
Dials phone numbers
Source: com.android.tester.C11;->r:628 API Call: com.android.tester.C11.startActivity
Has permission to perform phone calls in the background
Source: submitted apk Request permission: android.permission.CALL_PHONE
Has permissions to monitor, redirect and/or block calls
Source: submitted apk Request permission: android.permission.PROCESS_OUTGOING_CALLS

Operating System Destruction:

barindex
Deletes call logs/history
Source: com.android.tester.C11$27;->run:23 API Call: android.content.ContentResolver.delete
May wipe phone data
Source: com.android.tester.C11;->k:329 API Call: android.app.admin.DevicePolicyManager.wipeData

Change of System Appearance:

barindex
May access the Android keyguard (lock screen)
Source: android String found in binary or memory: keyguard
Source: com.android.tester.C11$23;->run:219 API Call: android.os.PowerManager$WakeLock.acquire
Source: com.android.tester.C11;->g:1199 API Call: android.media.AudioManager.setRingerMode("0")
Source: com.android.tester.C11$9;->run:13 API Call: android.app.WallpaperManager.setBitmap

System Summary:

barindex
Executes native commands
Source: com.android.tester.C11$11;->run:15 API Call: java.lang.Runtime.exec
Source: com.android.tester.C7$2;->run:41 API Call: java.lang.Runtime.exec ("su")
Source: com.android.tester.C7;->d:54 API Call: java.lang.Runtime.exec ("su")
Source: com.android.tester.b;->a:9 API Call: java.lang.Runtime.exec ("su")
Source: com.android.tester.b;->a:19 API Call: java.lang.Runtime.exec
Requests potentially dangerous permissions
Source: submitted apk Request permission: android.permission.ACCESS_COARSE_LOCATION
Source: submitted apk Request permission: android.permission.ACCESS_FINE_LOCATION
Source: submitted apk Request permission: android.permission.BLUETOOTH
Source: submitted apk Request permission: android.permission.CALL_PHONE
Source: submitted apk Request permission: android.permission.CAMERA
Source: submitted apk Request permission: android.permission.CHANGE_WIFI_STATE
Source: submitted apk Request permission: android.permission.GET_TASKS
Source: submitted apk Request permission: android.permission.INTERNET
Source: submitted apk Request permission: android.permission.PROCESS_OUTGOING_CALLS
Source: submitted apk Request permission: android.permission.READ_CONTACTS
Source: submitted apk Request permission: android.permission.READ_PHONE_STATE
Source: submitted apk Request permission: android.permission.READ_SMS
Source: submitted apk Request permission: android.permission.RECEIVE_SMS
Source: submitted apk Request permission: android.permission.RECORD_AUDIO
Source: submitted apk Request permission: android.permission.SYSTEM_ALERT_WINDOW
Source: submitted apk Request permission: android.permission.WAKE_LOCK
Source: submitted apk Request permission: android.permission.WRITE_CONTACTS
Source: submitted apk Request permission: android.permission.WRITE_EXTERNAL_STORAGE
Source: submitted apk Request permission: com.android.browser.permission.READ_HISTORY_BOOKMARKS
Source: classification engine Classification label: mal84.rans.spyw.evad.andAPK@0/251@0/0
Source: com.android.tester.a;->a:140 API Call: "10334":
Source: com.android.tester.a;->a:140 API Call: "10335":
Source: com.android.tester.a;->a:140 API Call: "10336":
Source: com.android.tester.a;->a:140 API Call: "10333":
Source: com.android.tester.a;->a:140 API Call: "10355":
Source: com.android.tester.a;->a:140 API Call: "10355": failed to connect to androidmedallo.duckdns.org/46.246.84.12 (port 5214) from /192.168.2.30 (port 48958) after 1000ms

Data Obfuscation:

barindex
Obfuscates method names
Source: Corona App.apk Total valid method names: 2%

Persistence and Installation Behavior:

barindex
Tries to get accessibilty permissions (for UI automation)
Source: com.android.tester.C7$1;->run:38 API Call: com.android.tester.C7.startActivity
Uses command line tools to install new APKs
Source: Lcom/android/tester/C7$2;->run()V Method string: pm install -r
Sets an intent to the APK data type (used to install other APKs)
Source: com.android.tester.C7$2;->run:77 API Call: android.content.Intent.setDataAndType(n/a,"application/vnd.android.package-archive")
Source: com.android.tester.C1;->a:33 API Call: java.io.FileWriter.<init>
Source: com.android.tester.C11$2;->run:4 API Call: java.io.FileWriter.<init>

Boot Survival:

barindex
Has permission to execute code after phone reboot
Source: submitted apk Request permission: android.permission.RECEIVE_BOOT_COMPLETED
Installs a new wake lock (to get activate on phone screen on)
Source: com.android.tester.C11$23;->run:216 API Call: android.os.PowerManager.newWakeLock
Starts/registers a service/receiver on phone boot (autostart)
Source: com.android.tester.C13;->onReceive:17 API Call: android.content.Context.startService (not executed)
Source: com.android.tester.C4;->a:4 API Call: android.content.Context.startService (not executed)

Hooking and other Techniques for Hiding and Protection:

barindex
Removes its application launcher (likely to stay hidden)
Source: com.android.tester.C1;->a:62 API Call: android.content.pm.PackageManager.setComponentEnabledSetting
Source: com.android.tester.C3;->a:10 API Call: android.content.pm.PackageManager.setComponentEnabledSetting
Source: com.android.tester.C3;->b:27 API Call: android.content.pm.PackageManager.setComponentEnabledSetting
Source: com.android.tester.C7;->a:80 API Call: android.content.pm.PackageManager.setComponentEnabledSetting
Has permission to draw over other applications or user interfaces
Source: submitted apk Request permission: android.permission.SYSTEM_ALERT_WINDOW
Has permission to query the list of currently running applications
Source: submitted apk Request permission: android.permission.GET_TASKS
Has permission to terminate background processes of other applications
Source: submitted apk Request permission: android.permission.KILL_BACKGROUND_PROCESSES
Has permissions to monitor, redirect and/or block calls
Source: submitted apk Request permission: android.permission.PROCESS_OUTGOING_CALLS

Malware Analysis System Evasion:

barindex
Accesses android OS build fields
Source: com.android.tester.C11$23;->run:112 Field Access: android.os.Build.MANUFACTURER
Source: com.android.tester.C11$23;->run:116 Field Access: android.os.Build.MODEL
Source: com.android.tester.C11$24;->run:25 Field Access: android.os.Build.MODEL
Source: com.android.tester.C11$24;->run:34 Field Access: android.os.Build.BOARD
Source: com.android.tester.C11$24;->run:43 Field Access: android.os.Build.BRAND
Source: com.android.tester.C11$24;->run:61 Field Access: android.os.Build.DEVICE
Source: com.android.tester.C11$24;->run:70 Field Access: android.os.Build.DISPLAY
Source: com.android.tester.C11$24;->run:79 Field Access: android.os.Build.FINGERPRINT
Source: com.android.tester.C11$24;->run:97 Field Access: android.os.Build.HOST
Source: com.android.tester.C11$24;->run:106 Field Access: android.os.Build.ID
Source: com.android.tester.C11$24;->run:115 Field Access: android.os.Build.MANUFACTURER
Source: com.android.tester.C11$24;->run:124 Field Access: android.os.Build.PRODUCT
Source: com.android.tester.C11$24;->run:142 Field Access: android.os.Build.TAGS
Source: com.android.tester.C11$24;->run:151 Field Access: android.os.Build.USER
Source: com.android.tester.C11$23;->run:120 Field Access: android.os.Build$VERSION.RELEASE
Source: com.android.tester.C11$24;->run:175 Field Access: android.os.Build$VERSION.RELEASE
Queries the unique operating system id (ANDROID_ID)
Source: com.android.tester.a;->d:189 API Call: android.provider.Settings$Secure.getString

Language, Device and Operating System Detection:

barindex
Queries the SIM provider ISO country code
Source: com.android.tester.C11$24;->run:292 API Call: android.telephony.TelephonyManager.getSimCountryIso
Queries the SIM provider name (SPN - Service Provider Name)
Source: com.android.tester.C11$24;->run:268 API Call: android.telephony.TelephonyManager.getSimOperatorName
Queries the SIM provider numeric MCC+MNC (mobile country code + mobile network code)
Source: com.android.tester.C11$24;->run:256 API Call: android.telephony.TelephonyManager.getSimOperator
Source: com.android.tester.C11$24;->run:304 API Call: android.telephony.TelephonyManager.getSimOperator
Source: com.android.tester.C11;->c:1094 API Call: android.telephony.TelephonyManager.getSimOperator
Queries the WIFI MAC address
Source: com.android.tester.C11$24;->run:357 API Call: android.net.wifi.WifiInfo.getMacAddress
Queries the unqiue device ID (IMEI, MEID or ESN)
Source: com.android.tester.C11$24;->run:220 API Call: android.telephony.TelephonyManager.getSubscriberId
Source: com.android.tester.C11$24;->run:232 API Call: android.telephony.TelephonyManager.getDeviceId
Source: com.android.tester.C11$24;->run:244 API Call: android.telephony.TelephonyManager.getSimSerialNumber
Source: com.android.tester.C11$24;->run:280 API Call: android.telephony.TelephonyManager.getLine1Number
Source: com.android.tester.a;->d:184 API Call: android.telephony.TelephonyManager.getDeviceId
Source: com.android.tester.a;->d:185 API Call: android.telephony.TelephonyManager.getDeviceId

Stealing of Sensitive Information:

barindex
Monitors outgoing Phone calls
Source: com.android.tester.C9 Registered receiver: android.intent.action.NEW_OUTGOING_CALL
Checks if a SIM card is installed
Source: com.android.tester.C11$24;->run:661 API Call: android.telephony.TelephonyManager.getSimState
Source: com.android.tester.C11;->b:915 API Call: android.telephony.TelephonyManager.getSimState
Creates SMS data (e.g. PDU)
Source: com.android.tester.C10;->onReceive:15 API Call: android.telephony.SmsMessage.createFromPdu
Has permission to read contacts
Source: submitted apk Request permission: android.permission.READ_CONTACTS
Has permission to read the SMS storage
Source: submitted apk Request permission: android.permission.READ_SMS
Has permission to read the call log
Source: submitted apk Request permission: android.permission.READ_CALL_LOG
Has permission to read the default browser history
Source: submitted apk Request permission: com.android.browser.permission.READ_HISTORY_BOOKMARKS
Has permission to read the phones state (phone number, device IDs, active call ect.)
Source: submitted apk Request permission: android.permission.READ_PHONE_STATE
Has permission to receive SMS in the background
Source: submitted apk Request permission: android.permission.RECEIVE_SMS
Has permissions to create, read or change account settings (inlcuding account password settings)
Source: submitted apk Request permission: android.permission.GET_ACCOUNTS
Monitors incoming Phone calls
Source: com.android.tester.C9 Registered receiver: android.intent.action.PHONE_STATE
Monitors incoming SMS
Source: com.android.tester.C10 Registered receiver: android.provider.Telephony.SMS_RECEIVED
Queries a list of installed applications
Source: com.android.tester.C11$19;->run:6 API Call: android.content.pm.PackageManager.getInstalledApplications
Source: com.android.tester.a;->f:20 API Call: android.content.pm.PackageManager.getInstalledApplications
Queries camera information
Source: com.android.tester.C11$34;->run:2 API Call: android.hardware.Camera.open
Source: com.android.tester.C11$34;->run:4 API Call: android.hardware.Camera.getNumberOfCameras
Source: com.android.tester.C11$34;->run:6 API Call: android.hardware.Camera.getCameraInfo
Source: com.android.tester.C5;->a:59 API Call: android.hardware.Camera.open
Source: com.android.tester.C5;->surfaceCreated:129 API Call: android.hardware.Camera.open
Queries stored mail and application accounts (e.g. Gmail or Whatsup)
Source: com.android.tester.C11$16;->run:6 API Call: android.accounts.AccountManager.getAccounts
Source: com.android.tester.C11$16;->run:8 API Call: android.accounts.Account.type
Source: com.android.tester.C11$16;->run:12 API Call: android.accounts.Account.name
Source: submitted apk Request permission: android.permission.ACCESS_COARSE_LOCATION
Source: submitted apk Request permission: android.permission.ACCESS_FINE_LOCATION

Remote Access Functionality:

barindex
Found suspicious command strings (may be related to BOT commands)
Source: Lcom/android/tester/C9;->a(ILjava/lang/String;)V Method string: "in call started["
Source: Lcom/android/tester/C11;->k(Ljava/lang/String;Ljava/lang/String;)V Instruction: "landroid/app/admin/devicepolicymanager;->wipedata(i)v"
Source: Lcom/android/tester/C11$27;->run()V Instruction: "sget-object v3, landroid/provider/calllog$calls;->content_uri:landroid/net/uri;"
Source: Lcom/android/tester/C9;->a(ILjava/lang/String;)V Instruction: "const-string v0, "in call started[""
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs