February 17, 2012Nathan Collier By Nathan Collier

An Evolution of Android Malware “My How You’ve Grown PJAPPS!” (Part 1)

We’ve all seen software grow.  We watch as our favorite software adds on new features and becomes better at what it does.  Malware writers are no different, they want their software to have more features as well as steal even more information. PJApps is a good example of this. PJApps is a Trojan that’s been around for a while causing havoc by being bundled in legitimate applications found in alternative Android markets, it is capable of opening a backdoor, stealing data and blocking sms behind the scenes.  In one variant of PJApps it requests the following permissions to steal information:

INTERNET
RECEIVE_SMS
SEND_SMS
READ_HISTORY_BOOKMARKS
WRITE_HISTORY_BOOKMARKS
INSTALL_PACKAGES
WRITE_EXTERNAL_STORAGE
READ_PHONE_STATE

Here’s some of things the older variants of PJApps stole:

-SIM Card Number
-Telephone Number
-IMSI Number

 

 

 

PJApps has grown quite a bit since its first variants.  Here’s a list of all the fun stuff it has access to now:

ACCESS_CACHE_FILESYSTEM
ACCESS_COARSE_LOCATION
ACCESS_DOWNLOAD_MANAGER
ACCESS_DOWNLOAD_MANAGER_ADVANCED
ACCESS_DRM
ACCESS_FINE_LOCATION
ACCESS_NETWORK_STATE
ACCESS_WIFI_STATE
CHANGE_NETWORK_STATE
INSTALL_DRM
READ_LOGS
READ_SMS
RECEIVE_WAP_PUSH
SEND_DOWNLOAD_COMPLETED_INTENTS
VIBRATE
WRITE_APN_SETTINGS
WRITE_CALENDAR
WRITE_CONTACTS
WRITE_OWNER_DATA
WRITE_SETTINGS
WRITE_SMSWRITE_SYNC_SETTINGS

In this variant,  PJApps pretends to be SyncMyPix package name com.nloko.android.syncmypix, an app used to automatically update your contacts with your Facebook friend’s photos… which this malicious app will do plus some extra nasty stuff in the background.  Here’s a list of some of the stuff it does that the first variant didn’t:

-Tracks the time and location of where you are:

– Obvious sign of downloading and installing an apk in the background

It also can:
-Reads logs
-Write to Calendar
-Write to Contacts

Quite a few more features than other versions of PJApps.  Really have to wonder why a picture sync app would track your location and block incoming SMS, another reminder to choose your apps wisely and download from a trusted source. Check reviews, research and verify permissions requested before installing and on updates to apps.

Share Button

7 Responses to An Evolution of Android Malware “My How You’ve Grown PJAPPS!” (Part 1)

    • Nice finding and great analysis!

      Could you please provide the sample for me to have a look? Or you can tell me where you download the pirated app. Thanks!

      • We can’t provide a sample of the actual malware but we can tell you that the files were collected off 3rd party Chinese Android Markets and among the benign files were also different types of malware. Hope this helps!

    • The best thing to do is to stick to the reputable Android markets like Google Play (Google’s Android Market) and Amazon, and to avoid 3rd party markets. Most times, as with this the Trojan explained in this post, bad apps are found in “unofficial” markets and that’s where you can get into trouble. You should also download a mobile AV solution like Webroot SecureAnywhere Mobile to make sure you are fully protected on your phone.

Leave a Reply

Your email address will not be published. Required fields are marked *

true