A Trojan infecting Android mobile devices. It is intended to send SMS messages and make phone calls covertly, as well as to collect all sorts of confidential information. Unlike most Android Trojans, this malware concentrates all its malicious features in a special Unix library while the Android.Titan.1 dex file is used as an auxiliary component. Once Android.Titan.1 is installed on the target device, it creates a shortcut on the home screen and waits for the user to launch it.
After it is launched by the owner of the infected Android device, the Trojan removes its previously created icon. It also removes the last SMS dialogue stored in the device memory and starts the com/Titanium/Synchronous/praesunt malicious service. Later launches of Android.Titan.1 are performed automatically at each startup.
Being successfully executed, com/Titanium/Synchronous/praesunt starts the com/Titanium/Synchronous/adipiscing service that, in turn, can perform the following features:
- «MAINSTART»
- «MSGUPLOAD»
- «SCRUPLOAD»
- «VOCUPLOAD»
The “MAINSTART” feature
Provides the cyclical start of com/Titanium/Synchronous/praesunt, thus maintaining a permanent Trojan's activity. In addition, this feature checks which application is a default SMS Manager, and if it is not Android.Titan.1, it tries to assign it as a default manager using the android.provider.Telephony.ACTION_CHANGE_DEFAULT standard system function.
Is also sends the following information about the compromised mobile device to the command and control server:
- OS version
- User's mobile number
- Data on network connection
- MAC address
- IMEI
- IMSI
In return, the server can send commands to:
- Start the com/Titanium/Synchronous/desine service that searches and killes all processes related to the com.kakao.talk application
- Start the com/Titanium/Synchronous/factum service that spoofs phone numbers in the phone book
- Change the device's mode dial (silent, vibro call or ordinary) and set the dial volume level
- Start the com/Titanium/Synchronous/factum service that sends SMS messages to a specified number
- Start the com/Titanium/Synchronous/factum service that calls to a specified number (during the call, the screen of the device stays inactive similarly to standby mode)
- Send the information (names and corresponding phone numbers), that is stored in the contact list, to the server
- Start the com/Titanium/Magister/posursum service that demonstrates a specified text and accompanying images in the notification bar
The “MSGUPLOAD” feature
Collects information about all inbound SMS messages (sender, date and time of sending) and downloads the received information to the command and control server. If it is impossible to establish connection with the server, the information is stored in a local database and is sent later.
The “SCRUPLOAD” feature
Monitors the status of the device's screen (active or standby mode) and sends this data to the server.
The “VOCUPLOAD” feature
Collects information about the user's calls and send this data to the server.
The com.Titanium.Accipite.pipeline service
Starts in the fillowing cases:
- When the SMS is received. In this case, the service checks inbound messages and hides some parts of them (according to Trojan's settings) from the user. The information about all inbound SMS messages is sent to the command and control server using the "MSGUPLOAD" feature.
- When the operating system is loaded. In this case, the service activates the Trojan's main service using the "MAINSTART" feature.
- The Trojan monitors every minute the device's status and checks whether the user calls. If so, the call is recorded into the amr file and placed in the Android.Titan.1 working directory. After this, using the com/Titanium/Synchronous/adipiscing service with the "VOCUPLOAD" parameter, it is sent to the server. In the same manner, the screen's status is monitored and the received information is sent to the server using the "SCRUPLOAD" feature.
The Trojan is able to block certain calls and automatically take calls. In addition, the related information about the phone conversations is removed from the system logs.