Chinese Android stores were pushing apps that masked a piece of malware called TigerBot, security researchers said.
TigerBot (ANDROIDOS_TIGERBOT.EVL), also known as Spyera, came to the attention of Trend Micro researchers who analyzed the malicious element. They found the malware ended up controlled by its masters via SMS or phone calls, capable of performing tasks such as call recording and GPS tracking.
The list of commands accepted by TigerBot includes: DEBUG, CHANGE_IAP, PROCESS_LIST_ADD, PROCESS_LIST_DELETE, ACTIVE, and DEACTIVE.
DEBUG allows cyber criminals to learn the names of the currently running processes, TigerBot’s configuration, and check the network status.
When the malware receives the CHANGE_IAP command, it connects to the network by changing the infected device’s Access Point Name. Depending on whether the action is successful or not, the attacker receives an SMS with the task’s status.
The codes for PROCESS_LIST_ADD and PROCESS_LIST_DELETE don’t seem complete, but the keywords basically manage processes. The processes added to the list kill every 5 minutes.
The ACTIVE command, as you may suspect, activates TigerBot. When the string goes out, the malicious element sends an HTTP POST containing the phone’s IMEI, app key, timestamp and signature to the backend server.
In order to deactivate TigerBot, you have to place a phone call to *#[key.
There is another list of SMS commands that can go to the malware. For instance, UPLOAD_NETWORKINFO returns GSM and CDMA location. SEND_MSG_TO_TARGET sends an SMS to a certain number with arbitrary content.
If the attackers want to restart the device or take a screenshot, they can use commands such as RESTART_DEVICE and CAPTURE_IMAGE.
Android users who want to verify if a TigerBot infection is present can send a DEBUG command to the phone. To do this, take another phone, write “* *” in a text message and send it to the device you want to check. If a list of processes returns, you are a victim.