TrojanSpy:AndroidOS/Cosha.A is a trojan that affects mobile devices running the Android operating system. It can filter received SMS messages, send SMS messages to premium numbers, and collect personal user information.
Installation
TrojanSpy:AndroidOS/Cosha.A is a trojan that usually arrives bundled with other applications, most of which use a Chinese name. Once run, it starts itself as a service in the background named "cooshare.zeno.tinygame.lovetrap.core".
The applications that it comes bundled with may require the following permissions:
- ACCESS_FINE_LOCATION
- ACCESS_NETWORK_STATE
- ACCESS_WIFI_STATE
- PROCESS_OUTGOING_CALLS
- SEND_SMS
- SMS_RECEIVED
It then checks if the Access Point Network (APN) is "cmwap" and continues with its malicious routines if this is the case.
Payload
Steals sensitive information
After TrojanSpy:AndroidOS/Cosha.A is installed, it collects the following information and sends it to the server "cooshare<removed>.com":
- Device IMEI code
- Subscriber ID
Monitors and sends SMS messages
TrojanSpy:AndroidOS/Cosha.A sends an SMS to numbers on a list taken from the a webpage in "cooshare<removed>.com". For example, it sends an SMS to "1065817690102" with the message "ax360".
TrojanSpy:AndroidOS/Cosha.A also checks every time the user receives an SMS message. If the sender is the premium number it sent a message to earlier, it disregards the message.
Runs arbitrary commands
TrojanSpy:AndroidOS/Cosha.A may run various commands, which it receives from "cooshare<removed>.com".
Analysis by Daniel Chipiristeanu
