Android:qysly

Original Issue Date:- July 17, 2019
Virus Type:- Trojan
Severity:- Medium

It has been reported that the malware named as “android.qysly” targeting android devices is spreading. The malware has the following features:

  • Targets user privacy and security of the device
  • Steals personal information, gain unauthorized access, dial premium numbers, send text messages
  • Lock/ encrypts infected device and demands ransom.
  • Installs adware on the victims phone
  • Uses device administration privileges to kill running processes, create shortcuts and make uninstallation difficult.
  • Makes network connection to remote server and send device information such as Android version, Appid, IMSI, IMEI, CPU info like name & number of cores, Package Name, WiFi Connection State, MAC Address, SD Card size, Internal Memory size, Phone Screen Resolution etc.
  • Some of the variants are capable of detecting android emulation. It detects the Android SDK emulator and other emulators from Genymotion, Bluestacks and BuilDroid.


Aliases

Android/Deng.FYE[AVG], Android.Backdoor.196.origin[Dr. Web], HEUR:Trojan.AndroidOS.Ztorg.a[Kaspersky], Android/Backdoor.A.7 [Avira]


Indicators of Compromise:

The malware makes a network connection to remote command and control server using a DES-CBC encryption. It makes http request to download other malicious android packages which are then installed in infected device. Some of the command and control server contacted by the malware are given below:

Command and control server:

  • bbs.tihalf.com
  • XXX.hdyfhpoi.com
  • alla.tihalf.com


Malware Hash

  • sha256: 2c546ad7f102f2f345f30f556b8d8162bd365a7f1a52967fce906d46a2b0dac4


Countermeasures:

  • Do not download and install applications from untrusted sources [offered via unknown websites/ links on unscrupulous messages]. Install applications downloaded from reputed application market only.
  • Install and maintain updated antivirus solution on android devices. Scan the suspected device with antivirus solutions to detect and clean infections.
  • Prior to downloading / installing apps on android devices (even from Google Play Store), Always review the app details, number of downloads, user reviews, comments and "ADDITIONAL INFORMATION" section.
  • Verify app permissions and grant only those permissions which have relevant context for the app's purpose.
  • In settings, do not enable installation of apps from "Untrusted Sources".
  • Exercise caution while visiting trusted/untrusted sites for clicking links.
  • Install Android updates and patches as and when available from Android device vendors.
  • Users are advised to use device encryption or encrypting external SD card feature available with most of the android OS.
  • Do not download or open attachment in emails received from untrusted sources or unexpectedly received from trusted users.
  • Avoid using unsecured, unknown Wi-Fi networks. There may be rogue Wi-Fi access points at public places used for distributing malicious applications.
  • Confirm that the banking app you’re using is the official, verified version.
  • If anything looks awry or suddenly unfamiliar, check in with your bank’s customer service team.
  • Use two-factor authentication if it’s available.
  • Make sure you have a strong AI-powered mobile antivirus installed to detect and block this kind of tricky malware if it ever makes its way onto your system.
  • Refer to security best practices for mobile Phone users:
    http://www.cyberswachhtakendra.gov.in/documents/Mobile_phone_Security.pdf

References: