PoisonCake
January, 2015
Summary
Bootkit malware, Premium SMS sending, phone information leakage
GroDDViewer graphs:
Details
This malware blongs to the bootkit familly. It is mostly installed during Android OS upgrade and setup itself. After ELF execution, this malware creates background services and perform malicious behaviors like: sends and intercepts SMS, sends premium SMS, collects phone info and upload to remote server, downloads other malicious files and is able to update itself. PoisonCake is defined by three parts: initialization, core framework and plugins. DM (ELF executable) is the executable file performing setup and environment initialization. It runs reactor.dex.jar in a main thread. reactor.dex.jar is the core framework which is in charge of scheduling plugins, new events and commands in an endless loop. The last part deals with the plugins installation. PoisonCake contains 8 plugins and installs them through the main thread (reactor.dex.jar). Plugins are able to perform malicious events as described upper
Other resources
Triggering
Create /data/.3q directory, push in dm executable on device, and also run dm
Caracteristics
Malware type :
Attacks :
Infection technique :
Malicious code type :
Hidding techniques :
Triggering techniques :