Trojan.Android.GoodNews.G

General Explanation

Type: Trojan

Degree of destruction: average

Prevalence: average

What is a Trojan?

Trojans are malware that revealed themselves in the format of an applicable and useful tool. Accordingly, the user downloads and installs them and infects the system without noticing that it is malware. Trojans, usually after installation, act as a backdoor so the hacker can remotely access the victim’s system. For instance, the malware we will analyze here seems to do an applicable and useful job, but it will install an unwanted application on the system.

What is the GoodNews malware family?

This family of malware can release itself on the user’s phone.

Technical Explanation

The name of this malware is “Tiktok v2” and is one of the most famous apps in the world. In this application, users can share short videos with background music. In the first stage of executing the app, a fake progress bar is appeared and is stopped, but in the background, it proceeds its destructive operation. The main goal of this malware is to release more in the world and show ads.

This malware aims to have important and dangerous permissions, and check if it has them or not; if it has all its desired permissions, it will transmit to Act service. Also, in showing ads, it runs the AppLovin advertising service (AppLovin is a service that changes the user’s phone to a device for the advertiser).

android. permission.READ_CONTACTS”

“android. permission.SEND_SMS”

“android. permission.READ_PHONE_STATE”

“android. permission.ACCESS_COARSE_LOCATION”

“android. permission.ACCESS_FINE_LOCATION”

Act service:

• Used the getActiveSubscriptionInfoList (a way to collect active sim card data) method, aiming to specify which Simcards (relevant to what operators) are active.
• Then, by use of receiving received textual messages index, it checks if any of the “IDEA”, “AIRTEL”, “JIO” or “VODAFONE” strings are existing; if they exist, it means that the Simcard operator belongs to India. (“JIO”, “IDEA”, “AIRTEL”, and “VODAFONE” are Indian ICT companies).
• Then, if the victim’s Simcard belongs to JIO company and does not have enough account balance to send the SMS, it will immediately charge the victim’s Simcard through the JIO Recharge API and for this matter will check the area code of India relevant to JIO company (for example, 916000-916001-916002, etc.).
• After performing the necessary operations and checking about the victim’s Simcard operator, it will send an SMS to contacts stored in the user’s phone, aiming to release itself as much as possible. This malware will decode the encoded data in the application code and send it to all saved contact in the victim’s phone in different time intervals (randomly) that this SMS includes the infected link of the download file (apk).

Encoded data in program code by using DeSede (encoding algorithm)

j = "l5Q4G1VH164J/NrvvFUoj6rZr79IRw5LxyUn/gwDVNCPjY4/z7ly2vojbWGLGgBICxC9sbkTfV8umak8zLm7qDhsKHaqxmuAn18J9YPq1sKC/8wmNlpdbr5SPb/TalS7VDh+FZ4Vm53v+pz2DaikXSvLyLZ71b3S5GGXLyaEIPmZwUS/WgNcS50dFHbMyApliSUqUJfX1CY="

Decoding encoded data by using the existing key (ThisIsSpartaThisIsSparta) in the program code as above, will encourage users to install the new version of the Tiktok application:

Tiktok is back in IndiaNow

make Creative videosagain with new features

Download the new form (Tiktok v2)below

Link: hxxp[:]//tiny[.]cc/Tiktok-v2

Link: hxxp[:]//tiny[.]cc/Tiktok-v2 link (this link and the file that be downloaded from it is infected) is the link of apk file and after sending this SMS to the victim’s contacts a destructive procedure for releasing the app will perform that is like as follows:

1. Other victims receive an SMS that includes the infected download link.
2. The malware will be downloaded, as soon as you click on the link
3. Victims install the infected program on their smartphones.
4. The infected program is executed and the destructive procedure introduced above will run again and continues more widely.

How to deal with it and disinfect the system

To make sure that the system is safe, install Padvish antivirus and keep its database file and scan it.

Methods of preventing phone infection:

1. Avoid downloading and installing any application from unauthorized resources/markets.
2. Note the requested permissions, when installing the mobile application.
3. Continuously back up your saved data and files.
4. Do not use an unofficial version of applications. Applications such as Telegram, and Instagram have many unofficial versions and most of them release through Telegram channels.