NEWS FROM THE LAB - Thursday, March 10, 2011

Trojan:Android/BgServ.A Posted by Response @ 08:26 GMT

So Google released a security solution to deal with the mess that Trojan:Android/DroidDream.A has created in the last few days.

A trojanized version of the tool has also emerged (we detect it as Trojan:Android/Bgserv.A). Interesting preliminary analysis of the trojan is available in Symantec's blog.

You can see the difference by checking the application info of the authentic versus trojanized versions:

Android Market Security Tool:

Android Market Security Tool installation


Trojan:Android/Bgserv.A installation

Here's a screenshot of the content/package itself:

Trojan:Android/Bgserv.A comparison

Once installed, Trojan:Android/Bgserv.A obtains the user's phone information such as IMEI and the phone number. The information is uploaded to http://www.youlubg.com:81/Coop/request3.php.

Again, this malware appears to be specific to a mainland Chinese network, as it contacts the number 10086 (related to China Mobile Net) and uses the new APN with the name "cmnet" inserted in the APN list.

This malware may lead to high data usage on the infected device, leaving the user with a high phone bill.

Interesting note: the malicious code doesn't seem to be restricted only to the Android Market Security Tool; the same behavior also appears in other Android applications, according to AegisLab's blog.

Response Post by — Zimry