Stiniter Android Trojan uses new techniques

SonicWALL UTM Research team received reports of a new sophisticated Trojan targeting the android platform. This Trojan called Stiniter/TGLoader is a modified version of an Android game with an additional malicious service. During our analysis we found that the Trojan was installing multiple modules (ELF and APK), contacting a remote command and control server and sending messages to a premium rate number.

When the rogue application is run, it in turn installs 4 ELF executable modules and 3 android applications. The sequence of events on execution is shown below:

The installed android applications use misleading names and were found to be using the following permissions:

• GoogleService:
  • Modify/delete SD card contents
  • Read phone state and identity
  • Start at boot
• GoogleSMS:
  • Send SMS messages
  • Read phone state and identity
• Unlock:
  • Modify/delete SD card contents
  • Read phone state and identity
  • Prevent phone from sleeping
  • Disable keylock

It performs the following activities:

• It drops the following files and modifies their permission using 'chmod 777':
  • /data/data/android.gdwsklzz.com/googleservice.apk
  • /data/data/android.gdwsklzz.com/googlemessage.apk
  • /data/data/android.gdwsklzz.com/unlock.apk
  • /data/data/android.gdwsklzz.com/start
  • /data/data/android.gdwsklzz.com/initr
  • /data/data/android.gdwsklzz.com/keeper
  • /data/data/android.gdwsklzz.com/ts
• It disables keyguard and prevents the processor from going to sleep.
• It remounts the /system/ folder on the device with write privileges.
• It sends device information to a remote server:

• It has the ability to send touchscreen events.
• It downloads the configuration file containing the number for premium rate messaging from a remote server:

• It send sms messages to the premium rate number in the configuration file.

SonicWALL Gateway AntiVirus provides protection against this threat with the following signature: