Trojan which uses a new vulnerability is distributed across the range of applications for Android
The company "Doctor Web" found the first Android-malware software, which is used to spread more recently known vulnerability Master Key. Android.Nimefas.1.origin able to send SMS text messages to transmit confidential information to criminals users, and allows remote execution of commands on the infected mobile device. At the moment, the Trojan is distributed in a lot of games and applications available for download in one of China's online directory of applications for Android. However, it is possible that in the near future by exploiting the vulnerability Master Key malware will increase, and thus expand the geography of the threat.
From the moment the information about the vulnerability of Master Key became public, most security experts were confident that sooner or later the criminals will respond to found a loophole in the Android OS, because from a technical point of view, the use of this software error is not any difficulty. Indeed, less than a month after the disclosure of details of the vulnerability has already appeared exploiting its malware. Trojan Discovered in Android-distributed applications in the form of a modified cybercriminals dex-file and is located next to the original dex-file program. Recall that the vulnerability of the Master Key is in the peculiarities of processing applications to install a component of the operating system Android: if the apk-package contains one subdirectory of two files with the same name, the operating system verifies the digital signature of the first file, but installs a second file, which checks not made.
Thus, the cost protective mechanism that prevents installation of the application, modified by third parties. run on the infected mobile device, the Trojan, first of all checks is active if at least one of the services belonging to the series of Chinese anti-virus applications. In the event that at least one of them is found, Android.Nimefas.1.origin detects the presence of root-access files by searching for "/ system / xbin / su" or "/ system / bin / su". If these files are present, the Trojan terminates. If none of the above conditions is not met, the malicious program continues to function. Specifically, Android.Nimefas.1.origin submits a similar one IMSI numbers, chosen at random on the basis of the available list. Next, the Trojan sending an SMS to all contacts contained in the phonebook infected mobile device. The text for these messages is downloaded from a remote server.
Information used to send contacts then passed on to the same server. Malware has the ability to send and arbitrary SMS messages to different numbers. The necessary information (text messages, and phone numbers) is taken from the control unit. Trojan is also able to hide from the user's inbox. Appropriate filter by number or SMS text received is loaded with the control center intruders. Currently the remote server that is used by cybercriminals to control the malware is no longer functioning. Currently Android.Nimefas.1.origin Trojan poses the greatest danger to Chinese users, t . K. distributed in a lot of games and applications available for download on a Chinese Web sites - collections of software. Its members are notified of the problem. However, it is possible that in the near future by exploiting the vulnerability Master Key malware will increase, and thus expand the geography of the threat.
As long as the manufacturers of mobile Android-devices will not release the corresponding update of the operating system, which closes this vulnerability, many users may be affected by such malicious applications. Given that a lot of devices on the market is no longer supported by the manufacturers, their owners risk being left without protection at all.
.jpg)
