Trojan:AndroidOS/SpyGold.A is a trojan that targets mobile devices running Android. The trojan captures device information, incoming SMS messages and call details to a file and sends the captured information to a remote server.
Installation
This trojan may have been distributed as an Android installation package named "v1.0_com.GoldDream.pg_1_1.0.apk". During installation, the following graphics may be displayed:
The trojan requests the following permissions during installation:
android.permission.INTERNET
android.permission.ACCESS_NETWORK_STATE
android.permission.READ_PHONE_STATE
android.permission.ACCESS_WIFI_STATE
android.permission.WRITE_EXTERNAL_STORAGE
android.permission.ACCESS_COARSE_LOCATION
android.permission.ACCESS_FINE_LOCATION
android.permission.RECEIVE_SMS
android.permission.SEND_SMS
android.permission.READ_SMS
android.permission.CALL_PHONE
android.permission.PROCESS_OUTGOING_CALLS
android.permission.DELETE_PACKAGES
android.permission.INSTALL_PACKAGES
android.permission.RECEIVE_BOOT_COMPLETED
Payload
Captures sensitive data
When the trojan executes, it monitors device data and information including:
- Android device details including phone DeviceId, SubscriberId and SimSerialNumber
- SMS message body and send time
- SMS sender information
Collected details are saved to a file named "zjsms.txt" in the same folder location as the malware. The trojan also monitors the following device data:
- Outgoing and incoming call numbers
- Call start and end time
These details are saved to a file named "zjphonecall.txt" in the same folder location as the malware.
Communicates with a remote server
The trojan communicates with a remote server named "lebar.gicp.net" to send the captured data. The trojan could also receive instructions to perform the following actions:
- Send an SMS message
- Call a specific number
- Install arbitrary programs which can include malware
Analysis by Tim Liu
