The Trojan is typically bundled with an application available on unregulated third-party Android marketplaces.
When the Trojan is executed, it requests permissions to perform the following actions:
- Open network sockets
- Send and monitor incoming SMS messages
- Read and write to the user's browsing history and bookmarks
- Install packages
- Write to external storage
- Read the phone's state (i.e. out of service, radio off, etc)
It then creates a service that runs in the background. The threat launcher is triggered whenever the reception signal of the device changes.
When the service is started it tries to register itself using the following URL:
http://mobile.meego91.com/mm.do?..[PARAMETERS]
Note: [PARAMETERS] is a variable that contains the following information from the device
- IMEI
- DeviceID
- Line Number
- Subscriber ID
- SIM serial number
The threat may send a message to a mobile number controlled by the attackers with the infected device's IMEI number. The mobile number where this message is sent to is obtained from the following URL:
http://log.meego91.com:9033/android.log?[PARAMETERS]
The threat downloads commands from the following location:
http://xml.meego91.com:8118/push/newandroidxml/...
The commands are enclosed within an .xml file, and include the following commands:
- note
This command is most probably meant to be used to send text messages to premium-rate numbers. A mobile number and content have to be specified, and two additional actions can be performed:
- blacklisting—If specified, the mobile’s number will be sent to a remote server to check whether it has been blacklisted, in which case the message won’t be sent. The URL of the service has to be sent as a parameter to the command and the blacklist check will be performed issuing a request with the following format:
($blacklist_url) + "/?tel=" + mobilenumber - response blocking—Android.Pjapps also listens for incoming messages, this allows the note command to specify rules to drop inbound messages if certain conditions are met, so the user doesn’t read them. Beginning and end-of-message strings are among the supported filters.
- push
This command performs SMS-spamming and requires the following parameters:
- <smscontent>—Content of the text message
- <smsurl>—A URL to add at the end of the message contents
- <tel>—Mobile numbers to send the text to, separated by '#'
- soft
This command is used to install packages on to the compromised device. The packages are downloaded from a remote URL that has to be sent along with the command as a parameter.
- window
This command makes the mobile navigate to a given website. Android.Pjapps has a preference of which browser to use, checking for the presence of the following browsers:
- mark
The mark command is used to add bookmarks to the compromised device. When the service is first launched, Android.Pjapps may also, by default, add the following bookmarks to the device:
- com.uc.browser
- com.tencent.mtt
- com.opera.mini.android
- mobi.mgeek.TunnyBrowser
- com.skyfire.browser
- com.kolbysoft.steel
- com.android.browser
- android.paojiao.cn
- ct2.paojiao.cn
- g3g3.cn
- xbox
This command has been found in Android.Pjapps parsing code but it seems to be unimplemented.
Symantec Security Response encourages all users and administrators to adhere to the following basic security "best practices":
