New versatile and remote-controlled “Android.MouaBot” malware found in the wild

by

Share this news now.

By Cameron Palan and Nathan Collier

Recently, we discovered a new malicious Android application called Android.MouaBot. This malicious software is a bot contained within another basic app; in this case, a Chinese calculator application. Behind the scenes, it automatically sends an SMS message to an auto-reply number which replies back to the phone with a set of commands/keywords. This message is then parsed and the various plugins within the malicious packages are run or enabled.

To find out how to contact the auto-reply numbers, there are two files within the app listing a few URLs which, when visited, display a single line referring the app to another IP address. These IPs are then used to send configuration information down to the app.

pic1

Once the app has the information it needs, it will text an auto-reply SMS number to receive commands on how or what to execute. When it receives a text, it will first check to see if it is from the auto-reply number, and then check the message for keywords. Regardless of the message’s origin, it will be logged as well.

pic2

As this is all occurring, the application suppresses the automatic SMS messages so the user does not see them. The bot’s behavior when receiving SMS can actually be seen in the logs as well:

pic3

The various plugins or functions of the bot appear to range from changing APN settings to preventing the phone from being locked. It’s possible other functionality could be added or downloaded by the bot in addition to the main functionality.

Malware like this is just another reason why you should have Webroot SecureAnywhere installed on your mobile device.


Share this news now.
New versatile and remote-controlled "Android.MouaBot" malware found in the wild by

Tags:



About the Author

Name: Nathan Collier
Role: Retired ThreatBlog Member

Share this news now.

Nathan was a Senior Threat Research Analyst for Webroot, having been with the company since October 2009.  He started has career working on PC malware, but now spends most of his time in the mobile landscape researching malware on Android devices.  Because of his early adaptation to mobile security, Nathan has seen the exponential growth of mobile malware and is highly experienced in protecting Webroot customers from mobile threats. He also enjoys frequently traveling with his flight attendant wife, Megan, and is a competitive endurance mountain bike racer in Colorado.


Share this news now.
New versatile and remote-controlled "Android.MouaBot" malware found in the wild by