Trojan Attempts to Replace System Launcher and Collects Confidential Information

A malicious app was detected by Trustlook as “Android.Trojan.Ihide”, disguised itself as a system program and stole a  user’s information. The research Trojan package can be identified as having the following characteristics:

  • MD5: A7C61401D00DD6398B549F4625BD58ED
  • SHA256: 3AD322E600D72659C8F4182439C18DAAAEC2045716984B9D1F79FB1641773098
  • Size: 1090390 bytes
  • App name: AndroidService
  • Package name:

The package icon is:

Screen Shot 2016-07-25 at 2.52.10 PM

Upon the execution, the app opens the Accessibility setting window to trick users into believe it is a legitimate system app:

Screen Shot 2016-07-25 at 2.52.16 PM

The app forces the user to grant the device admin to maintain the persistence on the system:

Screen Shot 2016-07-25 at 2.52.36 PM

The app attempts to replace the system launcher:

Screen Shot 2016-07-25 at 2.52.44 PM

The malicious app sends SMS message out continuously:

Screen Shot 2016-07-25 at 2.53.26 PM

The app contacts “” to obtain the current location information:

Screen Shot 2016-07-25 at 2.53.35 PM

The following code snippets demonstrate how the malware constructs and sends the above request:

Screen Shot 2016-07-25 at 2.35.54 PM

The malware attempts to collect the following information:

  • SMS message:

 Screen Shot 2016-07-25 at 2.37.04 PM

  • Contact information:

Screen Shot 2016-07-25 at 2.37.54 PM

  • Call log and recording:

Screen Shot 2016-07-25 at 2.38.38 PM

  • Camera capture:

     Screen Shot 2016-07-25 at 2.39.38 PM

  • Location information:

Screen Shot 2016-07-25 at 2.40.26 PM

  • Wifi password file:

Screen Shot 2016-07-25 at 2.41.34 PM

  • Screen capture:

          Screen Shot 2016-07-25 at 2.42.20 PM

  • Browser history

  Screen Shot 2016-07-25 at 2.43.07 PM

Furthermore, the app is capable of:

  • sending SMS message:

Screen Shot 2016-07-25 at 2.43.45 PM

  • Terminating process:

Screen Shot 2016-07-25 at 2.44.24 PM

  • Downloading and installing APKs:

Screen Shot 2016-07-25 at 2.45.01 PM

The malware most likely targets Android users in China, since the simplified Chinese language and Baidu location service are used in the code.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s