Tuesday, 21 June 2016

On 02:23 by admin   No comments
Pawost begins its malicious behavior after users install it. As soon as this happens, the app shows a Google Talk icon in the smartphone's notifications area. There's no text with this icon, and the notification is a dead giveaway that something is wrong and you should uninstall the app as soon as possible.

A few minutes later, the app will start making calls to several unknown numbers, using the Google Talk application.

While Pawost makes these calls, the phone's screen is turned off, but the CPU is very well alive and working.

Pawost makes calls to mysterious Chinese phone numbers

The mystery around these phone calls is that they don't go to a valid number. All start with the same sequence: 1-259.

Prepending the +1 US international prefix doesn't connect to a valid number. The area code 259 is not assigned in the US, so for sure, the campaign ain't targeting US users.

Since Pawost was bundled with an Android app with a Chinese interface, Malwarebytes researchers also tried adding the +86 China international prefix.

Their test phone calls connected to valid numbers, but all answered with a busy line. At this point, it was clear the app was targeting Chinese users.

Pawost can also send SMS messages
Security researchers took a closer look at the Pawost malware and said that besides placing these illegal calls, the app also included spyware capabilities.

The malware can collect data such as IMSI codes, IMEI numbers, CCID identifiers, phone numbers, phone version details, and a list of apps installed on the device.

Pawest takes this data, encrypts it, and sends it to a remote server. Furthermore, the trojan can also send SMS messages and block incoming SMS messages. Malwarebytes said they found this latter functionality in the Pawost decompiled source code, but never observed it in their tests.


Post a comment