At the beginning of April, security researchers found that a number of shady Chinese Android stores were pushing apps that masked a piece of malware called TigerBot (ANDROIDOS_TIGERBOT.EVL).
Also known as Spyera, the malicious element was analyzed by Trend Micro experts. They discovered that the malware was controlled by its masters via SMS or phone calls, being capable of performing a number of tasks, including call recording and GPS tracking.
The list of commands accepted by TigerBot includes DEBUG, CHANGE_IAP, PROCESS_LIST_ADD, PROCESS_LIST_DELETE, ACTIVE, and DEACTIVE.
Let’s take a better look at these commands. First, DEBUG allows the cybercriminals to learn the names of the currently running processes, TigerBot’s configuration, and check the network status.
When the malware receives the CHANGE_IAP command, it connects to the network by changing the infected device’s Access Point Name. Depending on whether the action is successful or not, the attacker receives an SMS with the task’s status.
The codes for PROCESS_LIST_ADD and PROCESS_LIST_DELETE don’t seem to be complete, but the keywords are basically designed to manage processes. The processes added to the list are killed every 5 minutes.
The ACTIVE command, as you may suspect, activates TigerBot. When the string is sent, the malicious element sends an HTTP POST containing the phone’s IMEI, app key, timestamp and signature to the backend server.
In order to deactivate TigerBot, a phone call to *#[key] must be placed.
There is another list of SMS commands that can be sent to the malware. For instance, UPLOAD_NETWORKINFO returns GSM and CDMA location. SEND_MSG_TO_TARGET sends an SMS to a certain number with arbitrary content.
If the cybercrooks want to restart the device or take a screenshot, they can use commands such as RESTART_DEVICE and CAPTURE_IMAGE.
Android users who want to verify if a TigerBot infection is present can send a DEBUG command to the phone. To do this, simply take another phone, write "* *" in a text message and send it to the device you want to check. If a list of processes is returned, you are a victim.