Backdoor.Android.PhantomLance.A

General Explanation

Type: backdoor

Degree of destruction: average

Prevalence: average

What is “Backdoor” malware?

Backdoor malware is applications that give the possibility of bypassing the security mechanisms of a system to the hacker and giving different resources of the system to infiltrators. Hackers can enter the desired system by use of this method without any validation and not worry about changing names and passwords. Backdoor malware has different shapes that hackers used based on their goals to infiltrate a system.

Technical Explanation

“Browser Turbo” is a member of the “Backdoor” malware family. This malware also is known as “PhantomLance” and is the first sample of this malware family which was registered in December 2015. The function of this family is that often, this malware does not put its dangerous accessing permissions in its manifest file, and during the execution of the application and whenever it needs them, will access them by special techniques and so will reach its malicious goal which steals information from user’s phone. Also, in this way they can bypass security filters and different android application markets.

The “Browser Turbo” (version 1) is from the “PhantomLance” malware set, but in the execution section, it will hide its icon and steal confidential information such as location, textual messages, call lists, storage data, installed application list, and complete information of the user and will send it to its infected server. This application can easily and with no intervention of the user and by using “SetUIDMode” attain its needed permissions as RunTimePermission (requesting permission at the time required for the application).

SetUIDMode: is an invalid programming interface that the application will receive the required permission by using it. It requires access to root for proper execution, and the first step to run the instruction of root is the assurance of being root or not which in this section of the application, by using this order, the device being root or not will be checked and will return the True value if the device is in root status. Then will check them according to a condition and if it is Nulll (i.e. it has no permission) the following permissions will be specified to the application:

  1. “android. permission-group.SMS”-The application can use SMS and MMS services; so, it is able to receive SMS and WAP, read, edit, and send SMS and MMS which has a price for the user. If it attains this permission, it can obtain “android.permission.READ_SMS”.
  2. “android. permission-group.MICROPHONE”-The app is able to use the phone microphone and use it to record sound and this is possible with/without the user’s permission. If the application granted this permission, it can obtain “android.permission.RECORD_AUDIO”.
  3. permission-group.STORAGE-The application can use the existing files on the phone. This ability includes reading and writing in the SD card and USB storage and also can format the external storage. This permission is about reading the external storage space on the newer phone. If it attains this permission, it can obtain android. permission.READ_EXTERNAL_STORAGE and android. permission.WRITE_EXTERNAL_STORAGE permission.
  4. permission-group.LOCATION-The application is able to use the phone location information from approximate or exact settings. In the case of using approximate settings, the application will receive the phone location from the network. While, in the exact settings, the application will use a phone GPS system to recognize the phone’s location. For this, the permission will allow the application to access the extra command of location provider and GPS. If the application received this permission, it can obtain “android. permission.ACCESS_FINE_L”CATION” and “android. permission.ACCESS_COARSE_LOCATION”
  5. permission-group.CAMERA-The application can capture images or record videos and this happens with or without the user’s notice. If it attains this permission, then it can obtain android. permission.CAMERA permission.
  6. permission-group.CALL_LOG-This permission will enable the application to access the permission related to “phone settings”. Actually, the settings it can change involve transferring calls if lines are busy, transferring calls in case of no responding, transferring calls when one is not reachable and etc. if it attains this permission, it can obtain “permission.READ_CALL_LOG” permission.
  7. permission-group.CALENDAR-This permission will enable the application to reach the user’s calendar and events, even if it includes confidential information. With this permission, the application is able to create events and send emails to guests without the user’s notice, which can be very dangerous in some ways. If it attained this permission, it can obtain “android.permission.READ_CALENDAR” and “android. permission.WRITE_C” LENDER”.
  8. permission-group.PHONE-The application has direct access to call numbers and is able to read all call logs or recorded some information there, change the phone status, and make calls without the user’s notice. Similar to SMS permission, this section will be costly. This permission is about all parts of the phone that are related to a phone call. If the application attained this permission, it can obtain “android.permission.READ_PHONE_STATE” permission.
  9. permission-group.CONTACTS-This permission is similar to the previous one, with the difference that this permission only accesses stored contacts on the phone and it can read them or change them. If it attained this permission, it can obtain “android.permission.READ_CONTACTS” and “android.permission.GET_ACCOUNTS” permissions.

The information that this application will collect from the user’s phone:

  • First, attain full access to the storage and then by using the totalMem method receives full information such as CPU, RAM, buffer, memory consumption, and free and used memory space.
  • Accessing to the user’s location based on connecting to the internet or GPS which checks it every 15 minutes and updates.
  • Accessing the last location that the user was at.
  • By using the (“getSystemService“) phone it can access confidential information of the user such as unique device signature.

How to deal with it and disinfect the system

To ensure that the system is not infected, install the Padvish antivirus database file, keep it up to date, and scan the antivirus.

Method of preventing phone infection:

  1. Avoid downloading and installing applications from unauthorized resources.
  2. Note the desired permission, when installing the application.
  3. Constantly back up the stored files and data.
  4. Do not use unofficial versions of any applications. Applications such as Telegram and Instagram have many unofficial versions and most of them are released through the Telegram channel.

 

  0 people found this article useful

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>