Mobile security researchers reported the emergence of an Android malware called Tigerbot. The said malware is actually an app called Spyera, which we detect as ANDROIDOS_TIGERBOT.EVL. The said app was found in third party Chinese app stores.
We tried to analyze this app to check if it is indeed malicious. Below are our findings:
When installed, ANDROIDOS_TIGERBOT.EVL shows a different icon, usually that of a legitimate application. Some malware use the same routine to trick users into thinking that it is a harmless file. The fact that Tigerbot uses the same installation routine raises questions on the intention of this application.
Tigerbot is controlled via either SMS or phone calls. It is capable of recording phone calls, tracking the device via GPS, or rebooting a device. Digging deeper into its routines, we found several commands that are of dubious nature:
- DEBUG – initially checks running processes and the configuration of the Spyera app, and connects to a URL to send check network status
- CHANGE_IAP – changes the phone’s APN (Access Point Name)
- PROCESS_LIST_ADD – adds a phone process name to a list (the list is used to kill processes)
- PROCESS_LIST_DELETE – deletes a phone process name that is in the list
- ACTIVE – activates the copy of Tigerbot
- DEACTIVE – deactivates the copy of Tigerbot
The above-listed capabilities can be maliciously used to send over private information to an attacker. These are among the reasons why we are detecting the application as malware.
The following details the 4 different command sets used by Tigerbot:
Command Set A
The following commands may be used by an attacker to gather information from the device:
|* *||DEBUG||Returns currently running process names, the current configuration,
and attempts to verify the Internet connection.
Upon receiving the DEBUG command, Tigerbot will:
- Immediately return the currently running process names. This gives us a way to identify the victim
- After 12 seconds, return the Tigerbot’s configuration if the copy is not yet activated
- After 20 seconds, check the network status by connecting to a URL and return network status to SMS sender