Uranico is Loozfon

I recently came across an Android malware sample that does your usual data stealing i.e. leaking data from the victim’s phone such as the phone number, contact information etc.

Most vendors name this sample Uranico (Android.Uranico, Trojan:Android/Uranico.A) based on the package name “com.link.uranai”. However, a closer look at the sample led to the realization that it looked a lot like a sample I had seen before : Android/Loozfon.A!tr, and was hence a variant of it.
Hence, we decided to name it Android/Loozfon.B!tr.

What led to this correlation was the unique format in which the victim’s data is sent to the attacker in both cases.
Both samples send the victim’s data in an HTTP POST request with the following parameters :

• “telNo” : MSISDN/phone number
• “individualNo” : IMEI
• “addressBook” : contact name + “##addressName##” + phone number + “##telNo##” + email id + “##mailAddress##” + “##paramPartDivide##” + next contact and so on..

This format for sending contact information seems common between the two samples and unique to them.

Further, running androsim on the two samples produces the following results :

Image may be NSFW.
Clik here to view.

Fig1: androsim Result shows fairly high similarity index

Image may be NSFW.
Clik here to view.

Fig2: Identical methods in androsim result

Some differences between the two variants :

In conclusion, we named Uranico as a variant of Loozfon for the following reasons:

• Both pieces of malware have the same purpose i.e. stealing phone number and contact information from the victim’s phone.
• They have similar class structures as can be seen by the Androsim output in Fig1 and Fig2
• The format for sending data to the attackers is exactly the same
• Both applications are aimed at Japanese users