360 Security Intercepted Korean Mobile banking Trojan

Apr 16, 2015360TS

360 Security Center intercepted a Korean Trojan recently (Sample MD5: 31ba0bd568fdd43bfbc1eb55a49fba80). This malware will send mass text messages to mobile phone contacts containing malicious links, monitor user calls, installed applications list, location and other private information, resulting in leakage of user privacy. 360 Security for Android is able to get rid of this lethal virus.
korianmobile1
The first run in the software will send 01089941103 information stating: The phone number of the infected phone + “has been infected with malicious code” as a text message.
korianmobile2
Accept SMS commands to control open TCP connections (SMS content: ccTCP address) used to upload user privacy information, if it is not control text messages, it will be forwarded to 01089941103.
korianmobile3
Traverse through users’ phone contacts and sending text messages containing malicious links. This address is invalid now and cannot be opened. Still, according to wedding.apk, we can judge that it is the link to download the sample itself and malicious SMS contents. (name + you receive an invitation + bit.ly/1eFWq7d)
korianmobile4
korianmobile5
Get the user’s mobile phone firmware information, including phone number, operator information, country code, software version, IMEI, IMSI and other information.
korianmobile6
Get user location information.
korianmobile7
Get application list information (mainly to determine bank application), to get the bank database information.
korianmobile8
Get the user’s mobile phone contacts information.
korianmobile9
Save user call recording and audio files to mp4 format.
korianmobile10
Open socket connection, uploading user privacy information. (The default TCP address is 210.124.110.201, controlled by SMS commands).
korianmobile11korianmobile12
Download 360 Security at: play.google.com/store/apps/details?id=com.qihoo.security&referrer=104676
Follow us on Facebook: www.facebook.com/360safecenter